Re: [nssldap] Speeding up logins - Groups
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Speeding up logins - Groups
- From: "Paul B. Henson" <henson [at] acm.org>
- To: credog <ldap [at] buglecreek.com>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Speeding up logins - Groups
- Date: Fri, 7 Mar 2008 12:31:52 -0800 (PST)
On Fri, 7 Mar 2008, credog wrote:
> We are running a openldap server and have noticed that when users are
> members of a lot of groups and try to authenticate to a ldap enabled
> system the authentication process is slow. If we comment out the
> "nss_base_group ou=Group,o=xxx.com?one" line in their ldap.conf file the
> process is very fast, but group information is not passed to the system.
> Is it possible to add a search string to the end of the "nss_base_group"
> directive to help speed things up? Or maybe add a nss_map_attribute to
> help?
Do the groups have a lot of members? We had an issue where performance was
poor with groups with large numbers of members, we implemented a patch
(which I believe has been accepted in the current version) to optionally
not request group members when looking up a group.
Add:
nss_getgrent_skipmembers yes
to your configuration to try that. The initgroups call still correctly
initializes someones groups, so they are in the right groups when logged
in, but when you list a group itself it simply doesn't display the members.
You should also make sure you have the appropriate indexes...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson@csupomona.edu
California State Polytechnic University | Pomona CA 91768