Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: Prentice Bisbal <prentice [at] ias.edu>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Mon, 10 May 2010 13:10:24 -0400
Jonathan Nilsson wrote:
> Okay, I'm back after the weekend and I will keep attacking this problem
> now.
>
>>> You should definitly give nscd a try. Caching is essential. It makes
>>> a big
>>> difference.
>>
>> I disagree. Caching is only necessary when your server can't keep up
>> with the workload, which will happen in large environments, or with slow
>> servers.
>
> I too have heard of all the problems that nscd can cause, so I have
> avoided it myself. I do not think that our environment is too large for
> our servers to handle the load. We have about 800 user object (many are
> old and disabled) and 150 groups, organized into about a dozen OU
> containers. Our 3 DC's are mostly sitting idle with about 30-40% free
> memory. There is no noticeable spike in usage when I do the lookups (at
> least none that I can see using Task Manager).
>
>> Now for a disclaimer: I do run nscd myself, because it's a good
>> practice. However, when otherwise healthy systems lock up because of one
>> basic daemon, or failover to another server doesn't work as advertised,
>> it can be very frustrating. Where I work, we are considering turning of
>> nscd on all of our systems due to a recent series of problems that were
>> all traced back to nscd.
>
> This is interesting, I may at some point give nscd a try in a test
> environment, or as a last resort here if I am unable to improve
> performance.
My problems with nscd have been pretty rare, but when they do occur,
they've been very severe.
>
>>>> Is it possible that it is an indexing issue with Active Directory? Have
>>>> other people had to make modifications to the Active Directory
>>>> Schema to
>>>> index additional attributes, such as "uid", "member" or "objectclass"?
>>>
>>> An index on uid, member, uidNumber, gidNumber would help.
>
> I will index these and see if that changes anything.
>
> Thanks,
--
Prentice
- Re: [nssldap] lookup delay using nss_ldap with Active Directory, (continued)
Re: [nssldap] lookup delay using nss_ldap with Active Directory,
Brett Delle Grazie