[CentOS] Odd issue with C6 and NIS

Thu Oct 6 22:33:45 UTC 2011
Stephen Harris <lists at spuddy.org>

On Thu, Oct 06, 2011 at 11:17:42PM +0100, John Hodrien wrote:
> On Thu, 6 Oct 2011, Stephen Harris wrote:
> > And once you move out of normal naming services and into custom maps then
> > your LDAP world of pain gets even worse; I'll always be able to do a
> > "ypmatch" quicker than an ldapsearch.
> Why?  GSSAPI means I don't have to provide any authentication information, and
> ldapsearch isn't that annoying.  ypmatch is far cruder than ldapsearch, so

ldapsearch requires a new TCP connection; slow.

> while a simple search with ypmatch might be quicker, compound queries end up
> being much easier with ldapsearch.  List me all of the users who work in a

Compound queries belong in a database.

> given department who have access to a given resource and tell me their display
> name and phone number.  ldapsearch makes that simple.  If you want to go a

I wouldn't do that in NIS.  Why would my OS care about it?.  But I would
do "tell me the path to the latest version of application X" 100s of times
per minute.  ldapsearch adds massive overhead (2 orders of magnitude)
to the return.  The right tools for the job; fast lightweight efficient
protocols for the OS where we get millions of calls; slower heavier weight
calls for applications that make calls once a minute or slower.

> I *did* say that nss_ldap is broken!  I was actually quietly surprised at how
> few things look to see who is a member of a group rather than query which
> groups a user is a member of.  Even with this set, 95% of things works

getgrnam("foo") to see who is in a group is nice and efficient for
a connection that's already open.  initgroups (which _has_ to do
a while(getrgrent()) loop) is slow.  Logins and su and similar do

> > Dammit; why didn't UDP based LDAP ever take off?  That would have helped,
> > a lot!
> Is the connection side that big a deal when you've got a daemon managing
> persistent connections to the servers?

ldapsearch doesn't use the connection manager.  Unless you're now replacing
tonnes of tools (and the perl Net::LDAP module and the python module and
the apache LDAP module and...)