Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Jonathan Nilsson <jnilsson [at] uci.edu>]

On 05/10/2010 08:04 AM, Douglas E. Engert wrote:
> In the first note, you did not indicate if you had a test AD domain, as
> well as test clients.

I was using two entirely separate AD domain environments.

> AD can support may groups, and this could be the performance
> difference you are seeing between id and getent. id will have to lookup the
> name of the group given the gidNumber. getent only has to lookup the user.

Ah, I see, yes my test environment was much simpler.  Only a few test entries in 
the directory, compared to several hundred user and group entries (including 
several nested groups) in the production environment.

> I should point out we use AD for Kerberos, and separate OpenLDAP servers for
> authorization info, but have had issues with another application that tried
> to use the AD groups, and ended up reading every group a user was a
> memberOf which could take 20 seconds.

Yes, it does seem to be the groups that are causing us problems.  In 
/etc/nsswitch.conf, if I remove "ldap" as a source for group entries, then id 
works much faster (still about a 5 second delay instead of 20-30 seconds).

Out of curiosity, are you synchronizing your AD and OpenLDAP directories at all? 
Or do you manually create entries in both when a new user is added?  I've been 
following the FreeIPA project (based on Fedora DS, not OpenLDAP) for a while and 
they do offer synchronization between AD and their DS.  But I'd prefer to be 
able to keep things simple and just use AD for both Kerberos and LDAP.


On 05/08/2010 12:20 AM, Brett Delle Grazie wrote:
> I have some suggestions:
> 1. ... MTU differences ...
> 2. .. referrals in LDAP client ...
> 3. Enable debugging in nss_ldap...
> 4. Check the changelogs ...

Thanks Brett for the above suggestions.  I am still looking into the details and 
will respond separately.

--
Jonathan