Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: "Brett Delle Grazie" <Brett.Dellegrazie [at] Intact-is.com>
- To: "Jonathan Nilsson" <jnilsson [at] uci.edu>, <nssldap [at] padl.com>
- Cc: "Douglas E. Engert" <deengert [at] anl.gov>
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Sat, 8 May 2010 08:20:59 +0100
Hi,
I have some suggestions:
1. Check for any MTU differences between your production and test environments.
This may account for the long delays when using production. Particularly if
they are on different networks.
2. I vaguely remember having to enable or disable referrals in LDAP client
/etc/ldap.conf (I can't remember which, I'll check when I get home)
3. Enable debugging in nss_ldap so you can see what its doing.
4. Check the changelogs for the two versions you're using. I believe that 264
contains significant performance improvements for AD. This may account for
prod/dev differences.
--
Best Regards,
Brett
Sent from my mobile
--- original message ---
From: "Jonathan Nilsson" <jnilsson@uci.edu>
Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Date: 8th May 2010
Time: 3:48:23 am
Thanks for the reply,
> Are you also using nscd? We have run into issues with nscd timing out, then
> the command like id will try the ldapsearch itself.
No, nscd is not being used anywhere in my environment, at least as far as I can
tell:
$ /etc/init.d/nscd status
nscd is stopped
> I thought these should all be on one line:
>
> uri ldap://ad1.production.domain.com ldap://ad2.production.domain.com
> ldap://ad3.production.domain.com
Unfortunately, this didn't make a difference for me (performance-wise), but
perhaps it matters for fail-over functionality to work?
I also tried using ldap://ip.nu.mb.er and I tried the "host IP" format:
host 10.1.2.11 10.1.2.12 10.1.2.13
There was no difference in performance between these syntax variations.
>>
>> Note that I am mapping the attribute uid to sAMAccountName - I read here
>> [1] that this can improve performance because uid is not indexed by default
>> in Active Directory, but sAMAccountName is. It is true; the same "id
>> jnilsson" command above used to take 5-10 minutes when I did not map uid
>> to sAMAccountName.
>>
>> [1]
>> http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
>>
Is it possible that it is an indexing issue with Active Directory? Have other
people had to make modifications to the Active Directory Schema to index
additional attributes, such as "uid", "member" or "objectclass"?
Or if anyone has any other ideas/comments/pointers, that'd be great!
--
Jonathan
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: [nssldap] lookup delay using nss_ldap with Active Directory,
Brett Delle Grazie
