[Samba] One User, One Ldap, Multiple Domains

Adam Tauno Williams awilliam at whitemice.org
Sat Jun 4 15:24:35 GMT 2005


> >>b) We are going to be missing out on fun things like 
> >>"ldapsam:trusted=yes" by staying with ldapsam_compat

I believe so.

> >I would suggest looking into speed improvements (such as the continuing
> >work on this) before breaking your ldap into tiny pieces.  One domain
> >really should be the way to do this. 
> I know :-/
> Is 20,000+ users in a domain something that samba can do quickly yet? As 
> far as I know we've done all the standard things - indexes in openldap, 
> nscd on the PDC & quick hardware. Openldap is certainly quick enough - 
> the entire people OU comes back in about 5-6 seconds, so I've run out of 
> obvious things to tweak. Is ldapsam *that much* quicker than 
> ldapsam_compat for large numbers of users?

I think trusted=yes would make a big difference, also if possible use
LDAP over a domain socket ldapi:/// rather than a network socket.  But
no matter what I think enumerating that many users is going to be slow;
I'm curious why you have to enumerate all the users,  in the security
tab don't you perform a search?

Also make sure all you user's groups match to a samba mapped group;  we
saw awhile ago that having Samba users in groups that weren't mapped
seemed to slow things down inside Samba somewhere.  (Maybe this is
resolved in more recent versions, this was awhile ago).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050604/f4483116/attachment.bin


More information about the samba mailing list