nslcd and nscd

[Arnau <listsarnau [at] gmail.com>]

Hi all,

some processes in my system triggers a nslcd query with "group(all)":

[...]

nslcd: [3c9869] <group(all)> DEBUG: ldap_result(): end of results (0 total)

[...]

In our environment a "group all" query takes minutes (cause we use nested groups and we have a huge list of groups), so I'm wondering if there is a way to tell nslcd to pass that query to nscd (in other words, why is group=(all) not being served by nscd?)

In order to improve nslcd I think that nss_getgrent_skipmembers / nss_disable_enumeration could improve the performance of the service. Could someone give me some feedback (pros/cons) about those options? In both cases the man page says :" This option is not recommended for most configurations."

Also, I have a question about nslcd cache: the man page does not say too much about it's size, how many entries it can keep, etc...can it beahve as a replacement of nscd?

nss-pam-ldapd-0.9.6-5.el6.x86_64 / nscd-2.12-1.149.el6_6.5.x86_64 

SL 6.5

uri ldap://ldap:3268

log /tmp/log debug

base XXXX

binddn YYY

bindpw ZZZZ

scope sub

bind_timelimit 30

timelimit 30

idle_timelimit 300

ssl start_tls

tls_reqcert allow

tls_cacertdir /etc/ssl/certs/

pagesize 1000

referrals off

filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

map    passwd uid              sAMAccountName

map    passwd homeDirectory    unixHomeDirectory

map    passwd gecos            displayName

filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

map    shadow uid              sAMAccountName

map    shadow shadowLastChange pwdLastSet

filter group  (&(objectClass=group)(gidNumber=*))

uid nslcd

gid ldap

nss_nested_groups yes

nss_min_uid 500

TIA,

Arnau

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/