lists.arthurdejong.org
RSS feed

Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] lookup delay using nss_ldap with Active Directory



Prentice Bisbal wrote:


Jonathan Nilsson wrote:
Okay, I'm back after the weekend and I will keep attacking this problem
now.

You should definitly give nscd a try. Caching is essential. It makes
a big
difference.

I disagree. Caching is only necessary when your server can't keep up
with the workload, which will happen in large environments, or with slow
servers.

I too have heard of all the problems that nscd can cause, so I have
avoided it myself.  I do not think that our environment is too large for
our servers to handle the load.  We have about 800 user object (many are
old and disabled) and 150 groups, organized into about a dozen OU
containers. Our 3 DC's are mostly sitting idle with about 30-40% free
memory.  There is no noticeable spike in usage when I do the lookups (at
least none that I can see using Task Manager).

Now for a disclaimer: I do run nscd myself, because it's a good
practice. However, when otherwise healthy systems lock up because of one
   basic daemon, or failover to another server doesn't work as advertised,
it can be very frustrating. Where I work, we are considering turning of
nscd on all of our systems due to a recent series of problems that were
all traced back to nscd.

This is interesting, I may at some point give nscd a try in a test
environment, or as a last resort here if I am unable to improve
performance.

My problems with nscd have been pretty rare, but when they do occur,
they've been very severe.

That's why we recommend using OpenLDAP nssov now. You can use OpenLDAP's proxycache for reliable caching.

http://www.symas.com/ldapcon2009/papers/hyc1.shtml


Is it possible that it is an indexing issue with Active Directory? Have
other people had to make modifications to the Active Directory
Schema to
index additional attributes, such as "uid", "member" or "objectclass"?

An index on uid, member, uidNumber, gidNumber would help.

I will index these and see if that changes anything.

Thanks,



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/