Re: [nssldap] lookup delay using nss_ldap with Active Directory

["Douglas E. Engert" <deengert [at] anl.gov>]

Brett Delle Grazie wrote:
> Hi,
> I have some suggestions:
> 1. Check for any MTU differences between your production and test environments. 
> This may account for the long delays when using production. Particularly if 
> they are on different networks.
> 2. I vaguely remember having to enable or disable referrals in LDAP client 
> /etc/ldap.conf (I can't remember which, I'll check when I get home)
> 3. Enable debugging in nss_ldap so you can see what its doing.
> 4. Check the changelogs for the two versions you're using. I believe that 264 
> contains significant performance improvements for AD. This may account for 
> prod/dev differences.

In the first note, you did not indicate if you had a test AD domain, as well as
test clients. AD can support may groups, and this could be the performance
difference you are seeing between id and getent. id will have to lookup the
name of the group given the gidNumber. getent only has to lookup the user.

I should point out we use AD for Kerberos, and separate OpenLDAP servers for
authorization info, but have had issues with another application that tried
to use the AD groups, and ended up reading every group a user was a memberOf
which could take 20 seconds.



> --
> Best Regards,
> Brett
> Sent from my mobile
>
> --- original message ---
> From: "Jonathan Nilsson" <jnilsson@uci.edu>
> Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
> Date: 8th May 2010
> Time: 3:48:23 am
>
>
> Thanks for the reply,
>
> > Are you also using nscd? We have run into issues with nscd timing out, then
> > the command like id will try the ldapsearch itself.
>
> No, nscd is not being used anywhere in my environment, at least as far as I can
> tell:
>
> $ /etc/init.d/nscd status
> nscd is stopped
>
> > I thought these should all be on one line:
> >
> > uri ldap://ad1.production.domain.com ldap://ad2.production.domain.com
> > ldap://ad3.production.domain.com
>
> Unfortunately, this didn't make a difference for me (performance-wise), but
> perhaps it matters for fail-over functionality to work?
>
> I also tried using ldap://ip.nu.mb.er and I tried the "host IP" format:
>
> host 10.1.2.11 10.1.2.12 10.1.2.13
>
> There was no difference in performance between these syntax variations.
>
> > > Note that I am mapping the attribute uid to sAMAccountName - I read here
> > > [1] that this can improve performance because uid is not indexed by default
> > > in Active Directory, but sAMAccountName is. It is true; the same "id
> > > jnilsson" command above used to take 5-10 minutes when I did not map uid
> > > to sAMAccountName.
> > >
> > > [1]
> > > http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
>
> Is it possible that it is an indexing issue with Active Directory? Have other 
> people had to make modifications to the Active Directory Schema to index 
> additional attributes, such as "uid", "member" or "objectclass"?
>
> Or if anyone has any other ideas/comments/pointers, that'd be great!
>
> --
> Jonathan
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444