On Thu, Oct 06, 2011 at 10:28:58PM +0100, John Hodrien wrote: > On Thu, 6 Oct 2011, Stephen Harris wrote: > > Then you've never seen Veritas Cluster Services fall over 'cos of the amount > > of time it takes to do initgroup() stuff (VCS loves to su to oracle to > > verify the DB is up; the su takes too long 'cos this is a complete scan of > > the group map and nscd don't help, here; DB failover occurs). > > As I said with my nscd/sssd comment, you need a client that's not total crap. Which, up until a few months ago, was "no client". Solaris is crap (they recently rewrote their caching infrastructure to make it better); AIX is crap (with it's own unique solution and persistent connections). HPUX is crap.... Oh wait... what this really means is that _LDAP_ is crap at performance and each and every client needs to have massive kludges and work-arounds (that aren't necessary with NIS) in order to resume some semblence of usability. And once you move out of normal naming services and into custom maps then your LDAP world of pain gets even worse; I'll always be able to do a "ypmatch" quicker than an ldapsearch. > about LDAP. I've seen ssh time out with a nss_ldap setup due to a slow > initgroups. Your only option there is: > > nss_getgrent_skipmembers true You might as well not use secondary groups at all, then! Dammit; why didn't UDP based LDAP ever take off? That would have helped, a lot! -- rgds Stephen