lists.arthurdejong.org
RSS feed

[nssldap] groupOfNames performance

[Date Prev][Date Next] [Thread Prev][Thread Next]

[nssldap] groupOfNames performance



Hi folks,

We are in the process of switching to using AD to store Unix directory information. Due to the size of some of our groups, we have to use the "member" attribute to store the DNs of the members vs. using memberUid.

One issue however is that the enumeration of users' group memberships generates a lot of quires, and takes close to 1 second to complete. We're not entirely sure what the impact will be on our Linux desktop users, other systems that have performance requirements or the AD servers themselves just yet. (By comparison, our current lookups are < .1 seconds.) Nscd of course helps, but it does crash on occasion, and it does need to expire its cache eventually, at which point there could be a hang during the re-enumeration.

One of the things we were wondering about is since we are keeping all of our Unix groups under a single OU, nss_ldap doesn't really need to query each member of a group to determine if it itself is another group -- I'm assuming that's what's going on during the enumeration(?). It could short circuit this traversal if the base DN of the member is not under our group base DN.

Does anyone have any thoughts here?

Any info appreciated.

Thanks,

Cove