'Production' improvements to pdb_ldap

Ignacio Coupeau icoupeau at unav.es
Sat Oct 12 07:50:00 GMT 2002


Andrew Bartlett wrote:
> Samba 3.0 is starting to be used in a lot of places, and I'm starting to
> look into how we can best ensure we don't get bottlenecks in our
> performance.
> 
> Metze has raised a number of issues with pdb_ldap:
> 
>  - We do a Get_Pwnam() on every user - even in enums.
> 
>  - We hit the LDAP server for a new connection each time
> 
> Both of these we have known about for a while - but it turns out that
> usrmgr asks for a list of all users (enum), then asks for each user by
> RID.  In his (quite large) setup, this can take so long that usrmgr
> times out!
> 
> For the first problem, I am proposing that we use the uidNumber
> gidNumber etc in the user's ldap record directly - rather than going a
> Get_Pwnam() for that information.  Naturally, if that information is not
> present, we can do a Get_Pwnam anyway.
> 
> However, the question is:  Should we make this the default?  It's fine
> for sites running nss_ldap, but it does change behavior.  Or should we
> add 'yet another smb.conf option', that admins would have to turn on if
> they are running such large domains?
> 
> I would propose 'ldap trust uids' as the name, unless somebody comes up
> with a better one :-).

some suggestions...

1. A uid mapping like "pam_login_attribute uid" may be useful because in 
some places other attr than uid may be used.
2. If the user database is very big (the mine has +27.000 users in very 
few groups) some enums simply makes the samba server frozen for a 
while... a max_enum_size may be useful.
3. The cache may be useful, but may be a bit tricky in some places: 
things like nscd may runs pretty well, but may be tricky.
4. As the ldap implements a cache, perhaps a persistent connection may 
be a first step... for us, a well tunned ldap server aswer the nss 
questions from smtp and pop as a charm (~1000/min).
5. 'yet another option' may be convenient.

Thanks,

Ignacio

-- 
____________________________________________________
Ignacio Coupeau, Ph.D.     e-mail: icoupeau at unav.es
CTI, Director              fax:    948 425619
University of Navarra      voice:  948 425600
Pamplona, SPAIN            http://www.unav.es/cti/




More information about the samba-technical mailing list