[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Optimizing OpenLDAP pam authentication (it's very slow)

To: "Rechenberg, Andrew" <ARechenberg@shermanfinancialgroup.com>
Subject: Re: Optimizing OpenLDAP pam authentication (it's very slow)
From: Matthew Gregg <greggmc@musc.edu>
Date: Thu, 31 May 2001 16:33:19 -0400
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <35F52ABC3317D511A55300D0B73EB8050612F9@cinshrexc01.shermfin.com>
References: <35F52ABC3317D511A55300D0B73EB8050612F9@cinshrexc01.shermfin.com>
User-agent: Mutt/1.3.18i

I REALLY appreciate all the help you guys are giving and I hope to
find a fix.
I had long ago tried this.
Currently it looks like:
nss_base_passwd         ou=People,dc=musc,dc=edu?one
nss_base_group          ou=Groups,dc=musc,dc=edu?one
The rest are commented.
Logins are slow.

If I change nss_base_group to "ou=Groups,dc=musc,dc=edu?base"
Logins are fast except, when I run "groups" to see what groups I
belong to, it only returns my "numeric" group not it's name nor the
other 6 groups I belong to.



On Thu, May 31, 2001 at 04:26:34PM -0400, Rechenberg, Andrew wrote:
> Actually the "nss_base_passwd" and "nss_base_group" configuration options
> tell pam_ldap and nss_ldap where to look for the appropriate objects.  There
> are other configuration options that you "AND" with the search filter, but
> the "nss_base_*" options just tell the modules where to look to apply that
> filter.
> 
> If you tell the modules where to look for the appropriate object, it should
> speed up logins noticeably.  If all of your objects lie in
> ou=something,ou=people,dc=my,dc=com then use 
> 
> nss_base_passwd		ou=something,ou=people,dc=my,dc=com?one
> 
> in your /etc/ldap.conf file.
> 
> You're telling it EXACTLY where to look instead of doing a subtree search
> like dc=my,dc=com?sub
> 
> I only wish there were a way to have multiple RFC2307bis naming contexts in
> that file, because in my situation, users are all over the tree and if they
> are in a container at the bottom of the tree alphabetically, then it takes
> longer to do auth's and such.  Active Directory doesn't support object
> aliasing so I can't do that either :\
> 
> Oh well, try the nss_base_* config option; it should help speed things up.
> Hope this helps.
> 
> Regards,
> Andrew Rechenberg
> Network Team, Sherman Financial Group
> arechenberg@shermanfinancialgroup.com
> Phone: 513.677.7809
> Fax:   513.677.7838
> 
> 
> 
> From: Matthew Gregg [mailto:greggmc@musc.edu]
> Sent: Thursday, May 31, 2001 11:43 AM
> To: GOMBAS Gabor
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Optimizing OpenLDAP pam authentication (it's very slow)
> 
> 
> I've seen that and tried that.  What that does is "and" your filter
> with the default filter.  How to change/override the default filter would be
> the trick. Right?
> 
> On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> >  
> > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > It's not something that I can configure, without some code changes.
> > 
> > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > (the nss_base_* parameters).
> > 
> > Gabor
> > 
> 

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars

References:
- RE: Optimizing OpenLDAP pam authentication (it's very slow)
  - From: "Rechenberg, Andrew" <ARechenberg@shermanfinancialgroup.com>

Prev by Date: Referral questions
Next by Date: dynamic module problem
Index(es):
- Chronological
- Thread