[CentOS] Odd issue with C6 and NIS

Thu Oct 6 21:28:58 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Thu, 6 Oct 2011, Stephen Harris wrote:

> On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote:
>> place, I think it's hard to list *any* honest advantages over LDAP.  Sorry, I
>> don't consider performance to be a credible advantage, especially after
>> nscd/sssd have had their way with caching results.
> Then you've never seen Veritas Cluster Services fall over 'cos of the amount
> of time it takes to do initgroup() stuff (VCS loves to su to oracle to
> verify the DB is up; the su takes too long 'cos this is a complete scan of
> the group map and nscd don't help, here; DB failover occurs).

As I said with my nscd/sssd comment, you need a client that's not total crap.
nss_ldap isn't up to dealing with large ldap setup, especially with nested
groups.  sssd 1.6.1, suitably configured *is* up to it.  I've tested it with
give or take 100k users and 100k groups.  nscd with nss_ldap isn't up to it,
as the caching is done at the wrong time, and it doesn't understand anything
about LDAP.  I've seen ssh time out with a nss_ldap setup due to a slow
initgroups.  Your only option there is:

nss_getgrent_skipmembers true

That gets your performance up to a pretty tasty level, but it *will* break
some things.

sssd correctly configured gets you to only a small distance behind that setup,
but without the breakage, and it handles failures of LDAP servers *much*

> You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all
> the temporary ports 'cos nscd doesn't cache serv-by-port values when each
> request is a new port number.

nscd is a pile of pants, I fully accept.

> You've never seen...
> Oh, never mind.
> LDAP (being TCP connection oriented) is a world of hurt when it comes
> to stability and performance in any large environment.  NIS, being UDP,
> allows you to just "run".  (By large, I'm talking 30,000 client machines
> on 5 continents).

So with sssd you're looking at persistent connections, sensible failover
between servers, and caching that understands the reality of ldap, not just
the NSS level.  It really is a different world to be playing in.  I'd been
longing for a better solution, but wasn't totally sold on the nss_ldapd stuff
that was lurking.  sssd, and the winning attitude of the developers to
addressing problems has been a revolution to me.  Caching that happens
*before* your cache expires...  Seriously, sssd ticks so many boxes.  If
you've not had a look at sssd, *do*, and by all means drop me a line or on the
sssd mailing list if you have problems.  It's *not* perfect, but from my
perspective it's so far towards right I can forgive all the problems.

> This is true.  NIS security is awful.  Which is why we use LDAP :-)