On Wed, 13 Oct 2004 23:23, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > > This is not the case for Debian; and yes, we already do have local fast
> > > DB caches (using libnss-db).
> >
> > That's an entirely different issue.
>
> No, it's not, not in this case anyway.
>
> > libnss-db is just for faster access to /etc/passwd.
>
> You are mistaken. In the FreeBSD implementation, it is; however, the
> Linux implementation allows other things to be done with it.
>
> For instance, my /etc/default/libnss-db contains the following lines:
>
> ETC = /root/stage
> DBS = passwd group shadow
shadow is part of the passwd setup. group does no good on most systems (on my
system /etc/group is only 70 lines and the database gives no benefit).
> I also have a script which creates (incomplete (as in, without system
> users)) files /root/stage/{passwd,shadow,group} containing just the user
> and group records that are in LDAP. Next, /etc/nsswitch.conf contains
> the following:
>
> passwd: db compat
> group: db compat
> shadow: db compat
So what's the point of having LDAP if you are going to manually copy flat
files around?
> > The implementation in Linux is fairly poor however, it doesn't even
> > stat /etc/passwd to see if it's newer than the db.
>
> That's a feature, not a bug. Unless you want it to check 'the passwd
> file' as it is defined in /etc/default/libnss-db (or another
> configuration file), in which case it would indeed be a good idea.
If you want the database to be in sync with the flat file and be usable
without gross hacks as it is in AIX then it's a serious bug.
> > The performance gain isn't as good as you would expect either.
>
> Been there, done that.
>
> IME, doing this kind of thing is *way* faster than using libnss-ldap.
Way faster than a non-local LDAP. But not significantly faster than flat
files unless you have >10,000 users (which isn't the case for Debian).
> An added bonus is that the libnss-db Makefile will not update the .db
> files if the original ones are empty; so if the LDAP daemon dies or is
> unavailable for some reason, my users can still login, even after the
> next time the cronjob runs. This is not the case with libnss-ldap, AIUI.
True.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
