Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: Jonathan Nilsson <jnilsson [at] uci.edu>
- To: Prentice Bisbal <prentice [at] ias.edu>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Mon, 10 May 2010 09:17:36 -0700
Okay, I'm back after the weekend and I will keep attacking this problem now.
You should definitly give nscd a try. Caching is essential. It makes a big
difference.
I disagree. Caching is only necessary when your server can't keep up
with the workload, which will happen in large environments, or with slow
servers.
I too have heard of all the problems that nscd can cause, so I have avoided it
myself. I do not think that our environment is too large for our servers to
handle the load. We have about 800 user object (many are old and disabled) and
150 groups, organized into about a dozen OU containers. Our 3 DC's are mostly
sitting idle with about 30-40% free memory. There is no noticeable spike in
usage when I do the lookups (at least none that I can see using Task Manager).
Now for a disclaimer: I do run nscd myself, because it's a good
practice. However, when otherwise healthy systems lock up because of one
basic daemon, or failover to another server doesn't work as advertised,
it can be very frustrating. Where I work, we are considering turning of
nscd on all of our systems due to a recent series of problems that were
all traced back to nscd.
This is interesting, I may at some point give nscd a try in a test environment,
or as a last resort here if I am unable to improve performance.
Is it possible that it is an indexing issue with Active Directory? Have
other people had to make modifications to the Active Directory Schema to
index additional attributes, such as "uid", "member" or "objectclass"?
An index on uid, member, uidNumber, gidNumber would help.
I will index these and see if that changes anything.
Thanks,
--
Jonathan
- Re: [nssldap] lookup delay using nss_ldap with Active Directory, (continued)