Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Prentice Bisbal <prentice [at] ias.edu>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Date: Mon, 10 May 2010 09:04:40 -0400

Klaus Steinberger wrote:
> Hi Jonathan,
> 
>>> Are you also using nscd? We have run into issues with nscd timing out,
>>> then
>>> the command like id will try the ldapsearch itself.
>> No, nscd is not being used anywhere in my environment, at least as far
>> as I can
>> tell:
>>
>> $ /etc/init.d/nscd status
>> nscd is stopped
> 
> You should definitly give nscd a try. Caching is essential. It makes a big
> difference.

I disagree. Caching is only necessary when your server can't keep up
with the workload, which will happen in large environments, or with slow
servers.

nscd is not a very reliable piece of code. From my own experience, when
a server goes down, nscd won't always failover to another server
properly. Turning of nscd  has fixed this problem in the past. I also
had a couple of other problems where entire system were rendered useless
because nscd locked up, preventing anyone other than root from logging in.

But don't take just my word for it. nscd is so unreliable, the
developers saw the need to add the "paranoia"  and "restart" features.
>From the nscd.conf man page:

paranoia <yes|no>
    Enabling paranoia mode causes nscd to  restart itself periodically.

restart-interval time
    Sets the restart interval to time seconds if periodic restart is
enabled by enabling paranoia mode.

Any well-behaved piece of code wouldn't need such features.

Now for a disclaimer: I do run nscd myself, because it's a good
practice. However, when otherwise healthy systems lock up because of one
 basic daemon, or failover to another server doesn't work as advertised,
it can be very frustrating. Where I work, we are considering turning of
nscd on all of our systems due to a recent series of problems that were
all traced back to nscd.

> 
>> Is it possible that it is an indexing issue with Active Directory? Have
>> other people had to make modifications to the Active Directory Schema to
>> index additional attributes, such as "uid", "member" or "objectclass"?
> 
> An index on uid, member, uidNumber, gidNumber would help.
> 
> Sincerly,
> Klaus

-- 
Prentice

[nssldap] lookup delay using nss_ldap with Active Directory, jon.sscs.uci
- Message not available
  - Re: [nssldap] lookup delay using nss_ldap with Active Directory, Jonathan Nilsson
    - Re: [nssldap] lookup delay using nss_ldap with Active Directory, Klaus Steinberger
      - Re: [nssldap] lookup delay using nss_ldap with Active Directory, Prentice Bisbal

Prev by Date: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Next by Date: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Previous by thread: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Next by thread: Re: [nssldap] lookup delay using nss_ldap with Active Directory