On Fri, 2 Dec 2011, Stephen Gallagher wrote: > This may result in a change in our strategy going forward. I'm looking > for users to describe to us the reasons why they're choosing SSSD (in > its current incarnation) over winbind. What I'm trying to sort out is > whether there are specific *issues* with winbind that SSSD is solving > for users. In other words, I'm trying to determine whether our decision > to write and support a winbind provider backend is misplaced.
Stability and performance. We'd tried winbind as a solution but ended up having to baby sit it far too much for it to be a great solution. It could crash in a few different ways and didn't recover. So we ended up with a second prcoess that watched it and tried to restart it, clearing the caches and reseeding the cache when it happened. Performance was never as good or as reliable as an internally tweaked nss_ldap setup with nscd. nss_ldap however can't cope with large nested groups in an efficient way, and nscd isn't the most loved daemon in these parts (although it's much better than it used to be). SSSD's with the LDAP backend has been more stable than winbind, generally faster than winbind, and is currently working with our AD with no additional patches. It's also nice to have the option of running without joining the domain, and both nss_ldap and SSSD offer that as an option. > It may be that if SSSD's LDAP provider is offering a significant > advantage over winbind, we will consider dropping (or deferring) our > efforts to integrate winbind and instead put that effort into adding > Active Directory-specific features into the LDAP provider. For example, > we might reprioritize bugs https://fedorahosted.org/sssd/ticket/995 and > https://fedorahosted.org/sssd/ticket/996 > > So please, share with us your stories for why you prefer SSSD over > winbind and help us choose our direction for SSSD's future. I looked at switching to SSSD as I wanted to get away from custom site-specific performance hacks for nss_ldap, and wanted a proper ldap-aware caching setup. SSSD isn't perfect performance wise, but it's moving in the right direction, we've had fewer stability problems than with winbind even thought it's relatively immature and the developers have been highly responsive to bug reports. I'm not clear how having a winbind back end is going to improve what I've got now with the LDAP backend. If the last patch gets rid of my remaining SEGV with sssd_be, pretty much the *only* thing on my list is performance improvements. jh _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
