I'm looking for hints about switching user authentication to LDAP. (We're using NIS up to now.) The LDAP server will be SLES, the clients are a variety of SUSE Linux systems, in different versions, and other Unix hosts. I think that nscd should run on the clients, as LDAP has a rather high latency, compared to NIS, and that would provide cached access to passwd map entries. Can anybody confirm this or tell me anything about performance issues? nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks. Thanks for your other comments, they're well taken. But I want to take up this topic for another round. ;-) When I understand you correctly, you put an LDAP slave server with slurpd on each busy server?
No, syncrepl. Only use current versions of OpenLDAP.
Is that overhead really needed?
What overhead? Using LDAPI the protocol interchange is very fast and efficient and you don't need to worry about SSL/TLS (which is REAL overhead). You don't NEED to do this, but if you want top-notch performance this delivers. The server is only doing its own queries, and hdb may be faster than parsing large text files anyway, and with LDAPI the results just move around in memory with no network protocol or stack overhead. I run servers without replicants, but busy file and mail servers do benefit from having their own copy of the Dit (or at least the relevant bits of it, you can do partial replication with syncrepl).
I wouldn't have thought that servers do access uid->name mappings so often; most of the time their software's functionality only depends on numeric uids, doesn't it?
Depends on the software. Samba does lots of lookups, mail servers to nearly constant lookups, web servers do almost none.
I thought since TCP connection setup and teardown is much more expensive than UDP (NIS) or sockets (nscd),
Yes, it is
that LDAP might have performance problems here in interactive environments,
Depends current OpenLDAP versions are *WICKED* fast. Almost nothing is faster for lookups.
when lots of people do ls -l or so. Now you tell me that this is a problem for unattended server operation as well. That means I have to investigate our usage pattern. Hmm, maybe I should wireshark our NIS traffic and see what happens there.
Always use wireshark. :)
Could you please share more of your experience? Does a server really use passwd and group lookups so often?
Depends entirely on the applications. The server at idle does basically no queries. :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org