https://bugzilla.novell.com/show_bug.cgi?id=242520 Summary: passwd: compat, group:compat in nsswitch.conf causes bad LDAP performance Product: openSUSE 10.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: forsberg@cendio.se QAContact: qa@suse.de When Yast is used to configure SUSE (as well as SLED and SLES) into using an LDAP directory for authentication and user/group data access, the following is written into /etc/nsswitch.conf: passwd: compat group: compat passwd_compat: ldap group_compat: ldap This is very bad for performance, as the initgroups function (used at login time by sshd, kdm, gdm and similar to find out which groups the user belongs to) will then use the "enumerate all groups and see if the current username belongs to any of them" method (suitable for flatfile databases) instead of the LDAP-optimized version of initgroups available in nss_ldap, which will query the LDAP server for groups the user is member of. The latter is very much faster than the former, as the former not only has to enumerate all groups, but also in many cases translate DNs into usernames, which will generate as many LDAP queries as there are members of all groups, instead of _one_ LDAP query for the LDAP-optimized initgroups. All other distributions I've seen as well as the nss_ldap documentation, recommends a /etc/nsswitch.conf with the following contents: passwd: files ldap group: files ldap -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.