On Tue, 3 May 2011, aurfalien at gmail.com wrote: > So whats the answer today for ~10K users? > > The bug fixes suggested here work around the problems I have been > encountering. Well that's good then. > Can any one comment on what ppl are using for larger deployments? I > hope its not a resounding M$ AD?! I use a lightly patched nss_ldap and it's far from terrible. I'm forced to either use nss_getgrent_skipmembers or limit the number of groups it can see by localising it to a specific OU, as the performance becomes unworkable otherwise. I've additionally patched it to improve performance against our tree by optimising some of the queries using site specific details. nss_getgrent_skipmembers is not without downsides, but if it's tolerable in your situation it'll get you the best performance. In my case, the server end is indeed AD. It's been considerably faster and more stable than using winbind. jh