'Production' improvements to pdb_ldap

Andrew Bartlett abartlet at samba.org
Sat Oct 12 04:03:01 GMT 2002

Samba 3.0 is starting to be used in a lot of places, and I'm starting to
look into how we can best ensure we don't get bottlenecks in our

Metze has raised a number of issues with pdb_ldap:

 - We do a Get_Pwnam() on every user - even in enums.

 - We hit the LDAP server for a new connection each time

Both of these we have known about for a while - but it turns out that
usrmgr asks for a list of all users (enum), then asks for each user by
RID.  In his (quite large) setup, this can take so long that usrmgr
times out!

For the first problem, I am proposing that we use the uidNumber
gidNumber etc in the user's ldap record directly - rather than going a
Get_Pwnam() for that information.  Naturally, if that information is not
present, we can do a Get_Pwnam anyway.

However, the question is:  Should we make this the default?  It's fine
for sites running nss_ldap, but it does change behavior.  Or should we
add 'yet another smb.conf option', that admins would have to turn on if
they are running such large domains?

I would propose 'ldap trust uids' as the name, unless somebody comes up
with a better one :-).

For the second issue, we will just have to start caching connections -
it doesn't look too hard, just a wrapper around the actual calls, but
I've not had a chance to implement it.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list