[opensuse] User authentication with LDAP, your experience?
![](https://seccdn.libravatar.org/avatar/9b3c3a790b500cdb2bbfe34f8db0e867.jpg?s=120&d=mm&r=g)
Hi, I'm looking for hints about switching user authentication to LDAP. (We're using NIS up to now.) The LDAP server will be SLES, the clients are a variety of SUSE Linux systems, in different versions, and other Unix hosts. I'm familiar with setup of LDAP servers and know how to configure the clients on the PAM level. I think that nscd should run on the clients, as LDAP has a rather high latency, compared to NIS, and that would provide cached access to passwd map entries. Can anybody confirm this or tell me anything about performance issues? Are there any further trapfalls that I might fall into? Real-life experience about problems that were not obvious at first? What do you use to manage LDAP users and groups? YAST? I'm using JXplorer (http://jxplorer.org) for LDAP browsing, but that doesn't seem to cut it for account management. Actually, a Web interface to manage users and groups would be very helpful. Any tip would be greatly appreciated. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/2ece7503a16e6cffb2cbb2b3570f3ffc.jpg?s=120&d=mm&r=g)
I'm looking for hints about switching user authentication to LDAP. (We're using NIS up to now.) The LDAP server will be SLES, the clients are a variety of SUSE Linux systems, in different versions, and other Unix hosts. I'm familiar with setup of LDAP servers and know how to configure the clients on the PAM level. I think that nscd should run on the clients, as LDAP has a rather high latency, compared to NIS, and that would provide cached access to passwd map entries. Can anybody confirm this or tell me anything about performance issues?
nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks.
Are there any further trapfalls that I might fall into? Real-life experience about problems that were not obvious at first? What do you use to manage LDAP users and groups? YAST?
An intranet applications, and phpLDAPExplorer
I'm using JXplorer (http://jxplorer.org) for LDAP browsing, but that doesn't seem to cut it for account management. Actually, a Web interface to manage users and groups would be very helpful.
There is LAM if you are a Samba shop. Personally I find none of them very impressive; we developed an in-house web fron end.
Any tip would be greatly appreciated.
See "The LDAP Series" at http://www.whitemiceconsulting.com/node/30 :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/9b3c3a790b500cdb2bbfe34f8db0e867.jpg?s=120&d=mm&r=g)
Adam Tauno Williams wrote:
I'm looking for hints about switching user authentication to LDAP. (We're using NIS up to now.) The LDAP server will be SLES, the clients are a variety of SUSE Linux systems, in different versions, and other Unix hosts.
I think that nscd should run on the clients, as LDAP has a rather high latency, compared to NIS, and that would provide cached access to passwd map entries. Can anybody confirm this or tell me anything about performance issues?
nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks.
Thanks for your other comments, they're well taken. But I want to take up this topic for another round. ;-) When I understand you correctly, you put an LDAP slave server with slurpd on each busy server? Is that overhead really needed? I wouldn't have thought that servers do access uid->name mappings so often; most of the time their software's functionality only depends on numeric uids, doesn't it? I thought since TCP connection setup and teardown is much more expensive than UDP (NIS) or sockets (nscd), that LDAP might have performance problems here in interactive environments, when lots of people do ls -l or so. Now you tell me that this is a problem for unattended server operation as well. That means I have to investigate our usage pattern. Hmm, maybe I should wireshark our NIS traffic and see what happens there. Could you please share more of your experience? Does a server really use passwd and group lookups so often? Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/2ece7503a16e6cffb2cbb2b3570f3ffc.jpg?s=120&d=mm&r=g)
I'm looking for hints about switching user authentication to LDAP. (We're using NIS up to now.) The LDAP server will be SLES, the clients are a variety of SUSE Linux systems, in different versions, and other Unix hosts. I think that nscd should run on the clients, as LDAP has a rather high latency, compared to NIS, and that would provide cached access to passwd map entries. Can anybody confirm this or tell me anything about performance issues? nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks. Thanks for your other comments, they're well taken. But I want to take up this topic for another round. ;-) When I understand you correctly, you put an LDAP slave server with slurpd on each busy server?
No, syncrepl. Only use current versions of OpenLDAP.
Is that overhead really needed?
What overhead? Using LDAPI the protocol interchange is very fast and efficient and you don't need to worry about SSL/TLS (which is REAL overhead). You don't NEED to do this, but if you want top-notch performance this delivers. The server is only doing its own queries, and hdb may be faster than parsing large text files anyway, and with LDAPI the results just move around in memory with no network protocol or stack overhead. I run servers without replicants, but busy file and mail servers do benefit from having their own copy of the Dit (or at least the relevant bits of it, you can do partial replication with syncrepl).
I wouldn't have thought that servers do access uid->name mappings so often; most of the time their software's functionality only depends on numeric uids, doesn't it?
Depends on the software. Samba does lots of lookups, mail servers to nearly constant lookups, web servers do almost none.
I thought since TCP connection setup and teardown is much more expensive than UDP (NIS) or sockets (nscd),
Yes, it is
that LDAP might have performance problems here in interactive environments,
Depends current OpenLDAP versions are *WICKED* fast. Almost nothing is faster for lookups.
when lots of people do ls -l or so. Now you tell me that this is a problem for unattended server operation as well. That means I have to investigate our usage pattern. Hmm, maybe I should wireshark our NIS traffic and see what happens there.
Always use wireshark. :)
Could you please share more of your experience? Does a server really use passwd and group lookups so often?
Depends entirely on the applications. The server at idle does basically no queries. :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/9b3c3a790b500cdb2bbfe34f8db0e867.jpg?s=120&d=mm&r=g)
Adam Tauno Williams wrote:
nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks.
When I understand you correctly, you put an LDAP slave server with slurpd on each busy server?
No, syncrepl. Only use current versions of OpenLDAP.
Thanks a lot for pointing that out. I used LDAP only for address books and certificate delivery in the past, so I missed that option. You're other points are well taken; I'll do some tests and benchmarks now. Best regards, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/9b3c3a790b500cdb2bbfe34f8db0e867.jpg?s=120&d=mm&r=g)
Joachim Schrod wrote:
Adam Tauno Williams wrote:
nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks.
When I understand you correctly, you put an LDAP slave server with slurpd on each busy server?
No, syncrepl. Only use current versions of OpenLDAP.
Sorry, I forgot to confirm that: You still use slurpd to setup (at least one) backup servers, to protect against minor outages, don't you? Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/2ece7503a16e6cffb2cbb2b3570f3ffc.jpg?s=120&d=mm&r=g)
nscd is OK for workstations; but busy servers are best off having their own replicant. In many ways, nscd sucks. When I understand you correctly, you put an LDAP slave server with slurpd on each busy server? No, syncrepl. Only use current versions of OpenLDAP. Sorry, I forgot to confirm that: You still use slurpd to setup (at least one) backup servers, to protect against minor outages, don't you?
No, slurpd is deprecated, SyncREPL is a complete replacement for all replication purposes. A SyncREPL consumer can bring itself up to syncronization with the SyncREPL master. -- Adam Tauno Williams Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ded3c1cf46ea720a1f3f65df348eff3a.jpg?s=120&d=mm&r=g)
On Tuesday 20 March 2007, Joachim Schrod wrote:
Are there any further trapfalls that I might fall into? Real-life experience about problems that were not obvious at first?
In my experience, yast does a very good job of setting up LDAP on a SLES box, tieing everything together. In fact I wouldn't attempt to run SLES without ldap because there are too many things that are tied into ldap. At first I tried to go around it, and do things the normal suse way. Bad Idea.
What do you use to manage LDAP users and groups? YAST? Yes, Yast is best, as it seems to have all th bases covered. I've accessed and updatd the ldap server with a windows based client client, but saw no advantage to running that than just running text mode yast in a shell.
-- _____________________________________ John Andersen
![](https://seccdn.libravatar.org/avatar/9b3c3a790b500cdb2bbfe34f8db0e867.jpg?s=120&d=mm&r=g)
John Andersen wrote:
On Tuesday 20 March 2007, Joachim Schrod wrote:
In my experience, yast does a very good job of setting up LDAP on a SLES box, tieing everything together. In fact I wouldn't attempt to run SLES without ldap because there are too many things that are tied into ldap.
Hmm, I didn't notice that up to now. I have several SLES running, without LDAP, and without problems. What do I miss here? Where do you use LDAP? I should say that I'm not a YAST user; I'm an old Unix guy who does lots of things on Linux like I learned it 25 years ago. I only use YAST for setup of stand-alone systems. Software installation/updates is done with apt or smart, and configuration is done with Emacs, vi, or CLI commands in /etc. :-) And, if you don't mind that I come back to my original topic: If you use LDAP for user authentication -- did you encounter performance problems that are related to passwd or group lookups? If no, do you run nscd? Best, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/2ece7503a16e6cffb2cbb2b3570f3ffc.jpg?s=120&d=mm&r=g)
And, if you don't mind that I come back to my original topic: If you use LDAP for user authentication -- did you encounter performance problems that are related to passwd or group lookups? If no, do you run nscd?
In the space between running nscd and running a local replicant is a third option - run a local caching DSA. Again, it all depends upon you needs/applications. -- Adam Tauno Williams Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ded3c1cf46ea720a1f3f65df348eff3a.jpg?s=120&d=mm&r=g)
On Wednesday 21 March 2007, Joachim Schrod wrote:
And, if you don't mind that I come back to my original topic: If you use LDAP for user authentication -- did you encounter performance problems that are related to passwd or group lookups? If no, do you run nscd?
No performance problems that we were able to notice, but then the server was orders of magnitude faster than what it replaced. And Yes we do run nscd. -- _____________________________________ John Andersen
![](https://seccdn.libravatar.org/avatar/c2816542eee819288740b87a72cd4063.jpg?s=120&d=mm&r=g)
Joachim Schrod wrote:
I'm using JXplorer (http://jxplorer.org) for LDAP browsing, but that doesn't seem to cut it for account management. Actually, a Web interface to manage users and groups would be very helpful. You could try webmin. Not sure if it's available packaged for OpenSuSE. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Adam Tauno Williams
-
Joachim Schrod
-
John Andersen
-
Russell Jones