Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: Jonathan Nilsson <jnilsson [at] uci.edu>
- To: nssldap [at] padl.com
- Cc: "Douglas E. Engert" <deengert [at] anl.gov>
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Fri, 07 May 2010 19:03:38 -0700
Thanks for the reply,
Are you also using nscd? We have run into issues with nscd timing out, then
the command like id will try the ldapsearch itself.
No, nscd is not being used anywhere in my environment, at least as far as I can
tell:
$ /etc/init.d/nscd status
nscd is stopped
I thought these should all be on one line:
uri ldap://ad1.production.domain.com ldap://ad2.production.domain.com
ldap://ad3.production.domain.com
Unfortunately, this didn't make a difference for me (performance-wise), but
perhaps it matters for fail-over functionality to work?
I also tried using ldap://ip.nu.mb.er and I tried the "host IP" format:
host 10.1.2.11 10.1.2.12 10.1.2.13
There was no difference in performance between these syntax variations.
Note that I am mapping the attribute uid to sAMAccountName - I read here
[1] that this can improve performance because uid is not indexed by default
in Active Directory, but sAMAccountName is. It is true; the same "id
jnilsson" command above used to take 5-10 minutes when I did not map uid
to sAMAccountName.
[1]
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
Is it possible that it is an indexing issue with Active Directory? Have other
people had to make modifications to the Active Directory Schema to index
additional attributes, such as "uid", "member" or "objectclass"?
Or if anyone has any other ideas/comments/pointers, that'd be great!
--
Jonathan