[Samba] Re: samba w/ ldap - groups scalability and performance
sambauser at katehok.ac93.org
Tue Sep 21 03:20:36 GMT 2004
Marlys Nelson wrote:
> The PDC appears to request ALL groups from LDAP, using the search
> (objectclass=sambaGroupMapping). In our case, this is nearly 14,000
> entries and it can take almost 10 minutes to retrieve those from LDAP
> when there are hundreds trying at once. Indexing doesn't help in this
> case because samba is asking for ALL groups.
> Is there any way to make samba do a more targeted lookup of groups,
> perhaps only those groups where the user is a member?
I think it's possible. As far as I can see the problem is in this
rpc_server/srv_util.c:get_domain_user_groups implementation which does
retrieve all groups and then sort them out. Unfortunately, the fix isn't
that simple since interface to backends (include/passdb.h:struct
pdb_methods) has only one method to list groups: enum_group_mapping().
The solution could be to introduce another method to the above interface
(enum_user_groups()?) or to extend enum_group_mapping() to accept an
extra argument (user account name). The problem with the first solution
is that this method would repeat almost everything enum_group_mapping
does for all backends except that in ldapsam backend it will have an
extra (memberUid=<user>) filter. The problem with the second - all calls
to enum_group_mapping would need to be altered to accept an extra argument.
I'll try to see what I can do.
More information about the samba