On Wed, 16 May 2007, Ralph R???~_ner wrote:
On Sun, May 13, 2007 at 04:11:31PM -0400, James Craig wrote:
[...]
In any case, what I have discovered is that if I have netgroups
used in the passwd file:
[..]
[EMAIL PROTECTED]:x:::::
[EMAIL PROTECTED]:x:::::
[EMAIL PROTECTED]:x:::::
[EMAIL PROTECTED]:x:::::
[EMAIL PROTECTED]:x:::::
[..]
logging in vis ssh takes a LONG time. I see the openldap server
is spinning through what looks like ALL of my netgroups a few times,
and then I finally get a password prompt. I then type in the
password
and wait a while longer (the ldap server does the same thing) and
then I get in. When I removed the netgroups from the password table
the login process speeds up significantly.
Has anyone else experienced this?
Not as such because we have dropped the "compat" style passwd entries
before. What you describe is to be expected though, when you replace NIS
netgroups by LDAP netgroups 1:1.
Basically, netgroup support via LDAP is very inefficient. Unless my
memory fails me, NIS has a) a netgroup-matching operation (i.e. the
match is done server-side) and b) a "reversed" netgroup representation
that is keyed to usernames. So a test if "someuser" is a member of any
of the netgroups listed in your passwd translates into a "tell me
someuser's netgroups" NIS call, a fast search operation in the NIS
server, and a client-side comparison of the result to the netgroup list.
Netgroup via LDAP has neither advantage, so the same test translates
into reading all netgroup data from the server and scanning netgroup
member entries for any appearance of "someuser" and comparing the
matches. This has to be done client-side because the LDAP server does
not know the matching rules for a (user,host,domain) netgroup triple
(which is stored in this textual form, instead of splitting into three
attributes!).
This bites you twice because the nss_ldap is invoked for each of the
authentication and authorization steps of the PAM login.
So you may be able to tune your LDAP server somewhat, and nscd may help
you avoid the second lookup but whatever you do, your login will be
a much more expensive operation than the NIS based one.
My suggestion is, avoid the netgroup references in your passwd entirely.
Just allow NSS to list all your LDAP users but disallow access to
userPassword fields. Make up an LDAP group that contains all LDAP users that
should be able to log into the host (the union of the netgroups from
your passwd file) and use pam_ldap to allow access to this group of
users. Stack it with pam_unix, which does the same for local users (but
not for LDAP users because you have hidden the password hashes). The
result should be a great speed up for the login procedure because of
very selective LDAP searches. The downside is that all LDAP users are
visible on every machine (which may or may not trouble you) and that you
have to maintain extra groups to implement the login restrictions (but
you may be able to drop some of your netgroups, depending on where else
you use them).
Thank you for your input. This makes a lot of sense given what I have
seen. The test setup only had 2 netgroups. I have converted my entire
NIS environment to ldap and imported it to test on my machines, and
that was when the slowdown started. Over the years a LOT of netgroups
have been made!
I do not mind doing away with netgroups and replace them with something
else. At the moment, I am only using netgroups for two things: groups
of users for access to a machine via password and groups of machines for
nfs mounting in dfstab for the Solaris machines. I do no believe
making this change will be bad. We do not mind that all users are
visible on each machine whether they can log in or not. For the most
part we have 3 groups of machines: one group only allows systems people
to log on them, one allows systems and faculty, the rest of the
machines allow everyone. There are a few exceptions, but this will
not be a problem as I see it.
Do you know (or anyone, off hand) if keeping netgroups for machines
in the dfstab will have the same impact? Are the netgroups checked
regularly, or only at mount time? Should I look for other
options when it comes to allowing NFS access to a set of machines?
And one favor -- I am coming from an NIS background, so I am not
100% certain what you mean by an "LDAP group" - is there a place
you can point me for setting that up?
thanks for your response!
jim craig
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
