make 'ldap trust ids' the default?
Steve Langasek
vorlon at netexpress.net
Mon Nov 4 05:28:00 GMT 2002
On Sat, Nov 02, 2002 at 06:36:47PM +1100, Andrew Bartlett wrote:
> I've just committed a patch that adds a new 'ldap trust ids' smb.conf
> option.
> Currently defaulting to off, this option allows pdb_ldap to use the ldap
> server directly to determine if a user 'exists' in unix.
> This gives us a performance boost, particularly on enumerations:
> (Removes the extra lookup per record).
> The logic is such that if there are no posixAccount attributes for a
> user, we try getpwnam(), it's just that we look in LDAP first.
> As such, do people think we should have this by default?
> This was a fix to solve some particular problems that metze had, and
> I'll see if I can get some feedback on exactly how much this helps.
This seems terribly kludgy to me. There's a lot that can be done to
optimize unix username lookups without violating the abstraction (e.g.,
nscd). I particularly don't think this should be used for anything that
involves *enumerating* users, as the most frequent NSS configuration
involving LDAP is to reference both LDAP *and* local files; so
enumerating via the Unix calls may give different results than doing so
via the LDAP calls.
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021104/10b85f56/attachment.bin
More information about the samba-technical
mailing list