Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: Howard Chu <hyc [at] highlandsun.com>
- To: Dax Kelson <dkelson [at] gurulabs.com>
- Cc: Prentice Bisbal <prentice [at] ias.edu>, nssldap [at] padl.com
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Mon, 10 May 2010 12:06:52 -0700
Dax Kelson wrote:
On Mon, 2010-05-10 at 10:58 -0700, Howard Chu wrote:
That's why we recommend using OpenLDAP nssov now. You can use OpenLDAP's
proxycache for reliable caching.
http://www.symas.com/ldapcon2009/papers/hyc1.shtml
How does that compare to SSD (https://fedorahosted.org/sssd/) ?
sssd is a more generic solution, but it requires new infrastructure. nssov is
an LDAP-specific solution, and it's all administrable within LDAP. Managing
nssov remotely across thousands of nodes is easy, since nodes can simply
replicate their configurations via LDAP. sssd uses an app-specific private
database, so it's not really a distributed design.
sssd is only a caching solution, you still need nss_ldap + pam_ldap or
whatever other pam/nss mechanisms. nssov has integrated centralized and
distributed policy management, which is again remotely configurable using LDAP.
nssov is extremely simple code and can be shown to be bug-free by mere
inspection. Configuration is simple. It Just Works. ...
sssd has a lot of moving parts; auditing the code is non-trivial.
Configuration is complex. ...
Naturally you shouldn't take my word for it, you should compare for yourself.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: [nssldap] lookup delay using nss_ldap with Active Directory,
Brett Delle Grazie