Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Jonathan Nilsson <jnilsson [at] uci.edu>]

Okay, I'm back after the weekend and I will keep attacking this problem now.

> > You should definitly give nscd a try. Caching is essential. It makes a big
> > difference.
>
> I disagree. Caching is only necessary when your server can't keep up
> with the workload, which will happen in large environments, or with slow
> servers.

I too have heard of all the problems that nscd can cause, so I have avoided it 
myself.  I do not think that our environment is too large for our servers to 
handle the load.  We have about 800 user object (many are old and disabled) and 
150 groups, organized into about a dozen OU containers. Our 3 DC's are mostly 
sitting idle with about 30-40% free memory.  There is no noticeable spike in 
usage when I do the lookups (at least none that I can see using Task Manager).

> Now for a disclaimer: I do run nscd myself, because it's a good
> practice. However, when otherwise healthy systems lock up because of one
>   basic daemon, or failover to another server doesn't work as advertised,
> it can be very frustrating. Where I work, we are considering turning of
> nscd on all of our systems due to a recent series of problems that were
> all traced back to nscd.

This is interesting, I may at some point give nscd a try in a test environment, 
or as a last resort here if I am unable to improve performance.

> > > Is it possible that it is an indexing issue with Active Directory? Have
> > > other people had to make modifications to the Active Directory Schema to
> > > index additional attributes, such as "uid", "member" or "objectclass"?
> >
> > An index on uid, member, uidNumber, gidNumber would help.

I will index these and see if that changes anything.

Thanks,
--
Jonathan