Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Jonathan Nilsson <jnilsson [at] uci.edu>]

Thanks for the reply,

> Are you also using nscd? We have run into issues with nscd timing out, then
> the command like id will try the ldapsearch itself.

No, nscd is not being used anywhere in my environment, at least as far as I can
tell:

$ /etc/init.d/nscd status
nscd is stopped

> I thought these should all be on one line:
>
> uri ldap://ad1.production.domain.com ldap://ad2.production.domain.com
> ldap://ad3.production.domain.com

Unfortunately, this didn't make a difference for me (performance-wise), but
perhaps it matters for fail-over functionality to work?

I also tried using ldap://ip.nu.mb.er and I tried the "host IP" format:

host 10.1.2.11 10.1.2.12 10.1.2.13

There was no difference in performance between these syntax variations.

> > Note that I am mapping the attribute uid to sAMAccountName - I read here
> > [1] that this can improve performance because uid is not indexed by default
> > in Active Directory, but sAMAccountName is. It is true; the same "id
> > jnilsson" command above used to take 5-10 minutes when I did not map uid
> > to sAMAccountName.
> >
> > [1]
> > http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

Is it possible that it is an indexing issue with Active Directory? Have other 
people had to make modifications to the Active Directory Schema to index 
additional attributes, such as "uid", "member" or "objectclass"?

Or if anyone has any other ideas/comments/pointers, that'd be great!

--
Jonathan