On Thu, 6 Oct 2011, Stephen Harris wrote: > On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote: >> place, I think it's hard to list *any* honest advantages over LDAP. Sorry, I >> don't consider performance to be a credible advantage, especially after >> nscd/sssd have had their way with caching results. > > Then you've never seen Veritas Cluster Services fall over 'cos of the amount > of time it takes to do initgroup() stuff (VCS loves to su to oracle to > verify the DB is up; the su takes too long 'cos this is a complete scan of > the group map and nscd don't help, here; DB failover occurs). As I said with my nscd/sssd comment, you need a client that's not total crap. nss_ldap isn't up to dealing with large ldap setup, especially with nested groups. sssd 1.6.1, suitably configured *is* up to it. I've tested it with give or take 100k users and 100k groups. nscd with nss_ldap isn't up to it, as the caching is done at the wrong time, and it doesn't understand anything about LDAP. I've seen ssh time out with a nss_ldap setup due to a slow initgroups. Your only option there is: nss_getgrent_skipmembers true That gets your performance up to a pretty tasty level, but it *will* break some things. sssd correctly configured gets you to only a small distance behind that setup, but without the breakage, and it handles failures of LDAP servers *much* better. > You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all > the temporary ports 'cos nscd doesn't cache serv-by-port values when each > request is a new port number. nscd is a pile of pants, I fully accept. > You've never seen... > > Oh, never mind. > > LDAP (being TCP connection oriented) is a world of hurt when it comes > to stability and performance in any large environment. NIS, being UDP, > allows you to just "run". (By large, I'm talking 30,000 client machines > on 5 continents). So with sssd you're looking at persistent connections, sensible failover between servers, and caching that understands the reality of ldap, not just the NSS level. It really is a different world to be playing in. I'd been longing for a better solution, but wasn't totally sold on the nss_ldapd stuff that was lurking. sssd, and the winning attitude of the developers to addressing problems has been a revolution to me. Caching that happens *before* your cache expires... Seriously, sssd ticks so many boxes. If you've not had a look at sssd, *do*, and by all means drop me a line or on the sssd mailing list if you have problems. It's *not* perfect, but from my perspective it's so far towards right I can forgive all the problems. > This is true. NIS security is awful. Which is why we use LDAP :-) ;) jh