On Sun, May 13, 2007 at 04:11:31PM -0400, James Craig wrote: [...] > In any case, what I have discovered is that if I have netgroups > used in the passwd file: > > [..] > [EMAIL PROTECTED]:x::::: > [EMAIL PROTECTED]:x::::: > [EMAIL PROTECTED]:x::::: > [EMAIL PROTECTED]:x::::: > [EMAIL PROTECTED]:x::::: > [..] > > logging in vis ssh takes a LONG time. I see the openldap server > is spinning through what looks like ALL of my netgroups a few times, > and then I finally get a password prompt. I then type in the > password > and wait a while longer (the ldap server does the same thing) and > then I get in. When I removed the netgroups from the password table > the login process speeds up significantly. > > Has anyone else experienced this?
Not as such because we have dropped the "compat" style passwd entries before. What you describe is to be expected though, when you replace NIS netgroups by LDAP netgroups 1:1. Basically, netgroup support via LDAP is very inefficient. Unless my memory fails me, NIS has a) a netgroup-matching operation (i.e. the match is done server-side) and b) a "reversed" netgroup representation that is keyed to usernames. So a test if "someuser" is a member of any of the netgroups listed in your passwd translates into a "tell me someuser's netgroups" NIS call, a fast search operation in the NIS server, and a client-side comparison of the result to the netgroup list. Netgroup via LDAP has neither advantage, so the same test translates into reading all netgroup data from the server and scanning netgroup member entries for any appearance of "someuser" and comparing the matches. This has to be done client-side because the LDAP server does not know the matching rules for a (user,host,domain) netgroup triple (which is stored in this textual form, instead of splitting into three attributes!). This bites you twice because the nss_ldap is invoked for each of the authentication and authorization steps of the PAM login. So you may be able to tune your LDAP server somewhat, and nscd may help you avoid the second lookup but whatever you do, your login will be a much more expensive operation than the NIS based one. My suggestion is, avoid the netgroup references in your passwd entirely. Just allow NSS to list all your LDAP users but disallow access to userPassword fields. Make up an LDAP group that contains all LDAP users that should be able to log into the host (the union of the netgroups from your passwd file) and use pam_ldap to allow access to this group of users. Stack it with pam_unix, which does the same for local users (but not for LDAP users because you have hidden the password hashes). The result should be a great speed up for the login procedure because of very selective LDAP searches. The downside is that all LDAP users are visible on every machine (which may or may not trouble you) and that you have to maintain extra groups to implement the login restrictions (but you may be able to drop some of your netgroups, depending on where else you use them). Regards, Ralph Rößner --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
