[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Optimizing OpenLDAP pam authentication (it's very slow)
I REALLY appreciate all the help you guys are giving and I hope to
find a fix.
I had long ago tried this.
Currently it looks like:
nss_base_passwd ou=People,dc=musc,dc=edu?one
nss_base_group ou=Groups,dc=musc,dc=edu?one
The rest are commented.
Logins are slow.
If I change nss_base_group to "ou=Groups,dc=musc,dc=edu?base"
Logins are fast except, when I run "groups" to see what groups I
belong to, it only returns my "numeric" group not it's name nor the
other 6 groups I belong to.
On Thu, May 31, 2001 at 04:26:34PM -0400, Rechenberg, Andrew wrote:
> Actually the "nss_base_passwd" and "nss_base_group" configuration options
> tell pam_ldap and nss_ldap where to look for the appropriate objects. There
> are other configuration options that you "AND" with the search filter, but
> the "nss_base_*" options just tell the modules where to look to apply that
> filter.
>
> If you tell the modules where to look for the appropriate object, it should
> speed up logins noticeably. If all of your objects lie in
> ou=something,ou=people,dc=my,dc=com then use
>
> nss_base_passwd ou=something,ou=people,dc=my,dc=com?one
>
> in your /etc/ldap.conf file.
>
> You're telling it EXACTLY where to look instead of doing a subtree search
> like dc=my,dc=com?sub
>
> I only wish there were a way to have multiple RFC2307bis naming contexts in
> that file, because in my situation, users are all over the tree and if they
> are in a container at the bottom of the tree alphabetically, then it takes
> longer to do auth's and such. Active Directory doesn't support object
> aliasing so I can't do that either :\
>
> Oh well, try the nss_base_* config option; it should help speed things up.
> Hope this helps.
>
> Regards,
> Andrew Rechenberg
> Network Team, Sherman Financial Group
> arechenberg@shermanfinancialgroup.com
> Phone: 513.677.7809
> Fax: 513.677.7838
>
>
>
> From: Matthew Gregg [mailto:greggmc@musc.edu]
> Sent: Thursday, May 31, 2001 11:43 AM
> To: GOMBAS Gabor
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Optimizing OpenLDAP pam authentication (it's very slow)
>
>
> I've seen that and tried that. What that does is "and" your filter
> with the default filter. How to change/override the default filter would be
> the trick. Right?
>
> On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> >
> > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > It's not something that I can configure, without some code changes.
> >
> > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > (the nss_base_* parameters).
> >
> > Gabor
> >
>
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars