LDAP

I finally bluffed and fiddled enough to get OpenLDAP working as an office-wide address book for Evolution -- which is very cool indeed. Maybe I should buy the O'Reilly LDAP book before turning on pam_ldap though...

NP: Hot Shots II, The Beta Band. They're good / Yes, I know.

11:46 Tuesday, 20 Apr 2004 [#] [computers] (3 comments)

Posted by Wouter Verhelst at Tue Apr 20 12:26:39 2004:
pam_ldap is slow. You don't want that, unless you don't mind having to wait half a second or so extra every time something needs to do a lookup. Mind, that includes doing "ls -l".

Instead, I recommend using pam_db and a (perl/python/ruby/whatever) cronjob that gets the data out of the LDAP directory and into a passwd-style file. That's very easy to set up (at least, on Debian it is), a hell of a lot faster, and allows the exact same flexibility. More, in fact, since you can more easily use your own schema instead of the one pam_ldap expects.

I've been using this system for a while now, and it works great. In fact, Debian does so, too...
Posted by Tassos Bassoukos at Tue Apr 20 13:37:00 2004:
By default, pam_ldap makes one LDAP lookup per credentials lookup, and that's what makes it slow. That's where the name service cache daemon (nscd) comes in, it will cache these requests for a customizable amount of time. ls -l on /home for 50 users takes about 10 seconds the first time and is instantaneous the second.

In debian, simply apt-get install nscd. The point of LDAP is that you can keep more info accessible to more applications, not just Unix authentication.
Posted by Wouter Verhelst at Wed Apr 21 08:01:59 2004:
Yeah, I know about nscd; however, I have had more problems with a buggy nscd than anything else.

Having the precaching of using pam_db and LDAP->passwd scripts gives, IMO, the best of both worlds.

Name:


E-mail:


URL:


Add 10 and 7 (required):


Comment: