On Tue, 3 May 2011, Mattias Geniar wrote: > Understandable, but since a lot of people are still going to stick with > CentOS 4/5 for legacy reasons, I would argue that nss_ldap is still > worth "fixing". I'm not saying it's not worth fixing, I suspect it's fundamentally unfixable without a complete redesign. > It's not as fancy as sssd of course, but it's what people are using > right now. :-) Too much assumes that NSS information is quick and reliable. Lots of it seems to be designed around the assumption that random queries are expensive, and reading through the whole password file is cheap. nscd then perches on top of this and tries to paper over the fact this is all untrue. Throw nss_ldap at a big tree (~85k users, and an equally large number of groups) and watch it suffer horribly. Watch it take minutes to decide whether or not I should be allowed to login (even where that access control list is a local group). Throw nscd into the mix. Watch it do one query through nscd, but then time out as it assumes nscd is broken, so does the whole query again missing out nscd. Wait until nscd eventually crashes under the strain... sssd answers a lot of these questions. It's definitely not a perfect replacement yet, but it's going in the right direction if you ask me. jh