[nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] lookup delay using nss_ldap with Active Directory
- From: "jon.sscs.uci" <jnilsson [at] uci.edu>
- To: nssldap [at] padl.com
- Subject: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Fri, 7 May 2010 09:33:43 -0700 (PDT)
Hello,
I have a Windows Server 2003 R2 domain with some CentOS 5.4 and Fedora 12
clients. I was successful setting up using nss_ldap for account information
and Kerberos for authentication in a test environment.
However, when I made the same changes on my production servers, certain
operations seem to take forever! For example, "id <username>" takes between
20 and 30 seconds.
[08:59 root@fedora ~]$ time id jnilsson
uid=10360(jnilsson) gid=10004(webSSCS)
groups=10004(webSSCS),10063(webEcontest)
real 0m26.077s
user 0m0.009s
sys 0m0.019s
But "getent" operations are much faster (though still slower than in my test
environment, which has consistent < 1 second response time):
[09:00 root@fedora ~]$ time getent passwd jnilsson
jnilsson:*:10360:10004:Jonathan Nilsson:/u/nas/jnilsson:/bin/bash
real 0m3.025s
user 0m0.002s
sys 0m0.003s
[09:02 root@fedora ~]$ time getent group webSSCS
webSSCS:*:10004:jnilsson,other,users,hidden
real 0m3.059s
user 0m0.008s
sys 0m0.002s
Here is my /etc/ldap.conf:
--
base dc=production,dc=domain,dc=com
uri ldap://ad1.production.domain.com
uri ldap://ad2.production.domain.com
uri ldap://ad3.production.domain.com
ldap_version 3
binddn ssldap
bindpw <stripped>
scope sub
timelimit 7
idle_timelimit 30
bind_timelimit 3
bind_policy soft
pam_filter objectclass=User
pam_login_attribute sAMAccountName
ssl no
nss_base_passwd dc=ss2k,dc=uci,dc=edu?sub
nss_base_shadow dc=ss2k,dc=uci,dc=edu?sub
nss_base_group
dc=ss2k,dc=uci,dc=edu?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember memberOf
nss_map_attribute uid sAMAccountName
--
Note that I am mapping uniqueMember to "memberOf" instead of "member"
because we have nested groups in Active Directory and memberOf seems to
return just the groups that I am a direct member of, but using the attribute
member returns the fully expanded list of groups that I am an indirect
member of.
Note that I am mapping the attribute uid to sAMAccountName - I read here [1]
that this can improve performance because uid is not indexed by default in
Active Directory, but sAMAccountName is. It is true; the same "id jnilsson"
command above used to take 5-10 minutes when I did not map uid to
sAMAccountName.
[1]
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
Here is the strangest thing: I setup a second CentOS 5.4 client in my
production domain, using the exact same /etc/ldap.conf, and there I get fast
response times! Here are the versions of nss_ldap I'm using:
CentOS 5.4 - nss_ldap-253-22.el5_4
Fedora 12 - nss_ldap-264-8.fc12.i686
Thanks in advance for any help!
--
Jonathan
- [nssldap] lookup delay using nss_ldap with Active Directory,
jon.sscs.uci