On Thu, 6 Oct 2011, Stephen Harris wrote:
On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote:
place, I think it's hard to list *any* honest advantages over LDAP. Sorry, I don't consider performance to be a credible advantage, especially after nscd/sssd have had their way with caching results.
Then you've never seen Veritas Cluster Services fall over 'cos of the amount of time it takes to do initgroup() stuff (VCS loves to su to oracle to verify the DB is up; the su takes too long 'cos this is a complete scan of the group map and nscd don't help, here; DB failover occurs).
As I said with my nscd/sssd comment, you need a client that's not total crap. nss_ldap isn't up to dealing with large ldap setup, especially with nested groups. sssd 1.6.1, suitably configured *is* up to it. I've tested it with give or take 100k users and 100k groups. nscd with nss_ldap isn't up to it, as the caching is done at the wrong time, and it doesn't understand anything about LDAP. I've seen ssh time out with a nss_ldap setup due to a slow initgroups. Your only option there is:
nss_getgrent_skipmembers true
That gets your performance up to a pretty tasty level, but it *will* break some things.
sssd correctly configured gets you to only a small distance behind that setup, but without the breakage, and it handles failures of LDAP servers *much* better.
You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all the temporary ports 'cos nscd doesn't cache serv-by-port values when each request is a new port number.
nscd is a pile of pants, I fully accept.
You've never seen...
Oh, never mind.
LDAP (being TCP connection oriented) is a world of hurt when it comes to stability and performance in any large environment. NIS, being UDP, allows you to just "run". (By large, I'm talking 30,000 client machines on 5 continents).
So with sssd you're looking at persistent connections, sensible failover between servers, and caching that understands the reality of ldap, not just the NSS level. It really is a different world to be playing in. I'd been longing for a better solution, but wasn't totally sold on the nss_ldapd stuff that was lurking. sssd, and the winning attitude of the developers to addressing problems has been a revolution to me. Caching that happens *before* your cache expires... Seriously, sssd ticks so many boxes. If you've not had a look at sssd, *do*, and by all means drop me a line or on the sssd mailing list if you have problems. It's *not* perfect, but from my perspective it's so far towards right I can forgive all the problems.
This is true. NIS security is awful. Which is why we use LDAP :-)
;)
jh