[nssldap] lookup delay using nss_ldap with Active Directory

["jon.sscs.uci" <jnilsson [at] uci.edu>]

Hello,

I have a Windows Server 2003 R2 domain with some CentOS 5.4 and Fedora 12
clients.  I was successful setting up using nss_ldap for account information
and Kerberos for authentication in a test environment.

However, when I made the same changes on my production servers, certain
operations seem to take forever!  For example, "id <username>" takes between
20 and 30 seconds.

[08:59 root@fedora ~]$ time id jnilsson
uid=10360(jnilsson) gid=10004(webSSCS)
groups=10004(webSSCS),10063(webEcontest)

real    0m26.077s
user    0m0.009s
sys     0m0.019s

But "getent" operations are much faster (though still slower than in my test
environment, which has consistent < 1 second response time):

[09:00 root@fedora ~]$ time getent passwd jnilsson
jnilsson:*:10360:10004:Jonathan Nilsson:/u/nas/jnilsson:/bin/bash

real    0m3.025s
user    0m0.002s
sys     0m0.003s

[09:02 root@fedora ~]$ time getent group webSSCS
webSSCS:*:10004:jnilsson,other,users,hidden

real    0m3.059s
user    0m0.008s
sys     0m0.002s

Here is my /etc/ldap.conf:
--
base dc=production,dc=domain,dc=com
uri ldap://ad1.production.domain.com
uri ldap://ad2.production.domain.com
uri ldap://ad3.production.domain.com
ldap_version 3
binddn ssldap
bindpw <stripped>
scope sub
timelimit 7
idle_timelimit 30
bind_timelimit 3
bind_policy soft
pam_filter objectclass=User
pam_login_attribute sAMAccountName
ssl no
nss_base_passwd dc=ss2k,dc=uci,dc=edu?sub
nss_base_shadow dc=ss2k,dc=uci,dc=edu?sub
nss_base_group
dc=ss2k,dc=uci,dc=edu?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember memberOf
nss_map_attribute uid sAMAccountName
--

Note that I am mapping uniqueMember to "memberOf" instead of "member"
because we have nested groups in Active Directory and memberOf seems to
return just the groups that I am a direct member of, but using the attribute
member returns the fully expanded list of groups that I am an indirect
member of.

Note that I am mapping the attribute uid to sAMAccountName - I read here [1]
that this can improve performance because uid is not indexed by default in
Active Directory, but sAMAccountName is.  It is true; the same "id jnilsson"
command above used to take 5-10 minutes when I did not map uid to
sAMAccountName.

[1]
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

Here is the strangest thing:  I setup a second CentOS 5.4 client in my
production domain, using the exact same /etc/ldap.conf, and there I get fast
response times!  Here are the versions of nss_ldap I'm using:

CentOS 5.4 - nss_ldap-253-22.el5_4
Fedora 12 - nss_ldap-264-8.fc12.i686

Thanks in advance for any help!
--
Jonathan