On Nov 10, 2010, at 8:41 AM, Atom Powers wrote: > Are you using nss_ldap? Unless they have changed it recently, nss_ldap > does group lookups very inefficiently. (Instead of searching for > groups the user is a member of it searches for all groups and then > looks for the member ID.) If you can, you may want to disable ldap > lookups for group membership and/or use nscd.
The last time I rolled an OpenLDAP implementation, we ran into a lot of behavioral problems on the Linux clients using nss_ldap that were smoothed over by using nscd with reasonable cache timeouts (I think 5 minute cache expiry, with 1 minute for negative results.) I strongly recommend using nscd if using pam_ldap/nss_ldap. Gregory -- Gregory K. Ruiz-Ade <[email protected]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
