[PATCH] Implement getgroupmembership(3) for massive performance gain when using LDAP or Winbind

From: Michael Hanselmann <freebsd_at_hansmi.ch>
Date: Mon, 16 Jul 2007 21:02:58 +0200
Hello

I was working with a company which plans to migrate its FreeBSD servers
from using /etc/{passwd,group} to LDAP. They will have about 45'000
users and as much groups in the directory.

Tests showed that any function retrieving the groups a user is member
of, for example getgrouplist(3) or initgroups(3), is very slow. In our
case, it was about 7 seconds per invocation. Further investigation
showed how inefficient these functions are implemented through
getgrouplist(3). FreeBSD's implementation loops through all groups and
their members to check whether a user is member of it, in which case it
adds the group to a list. In our case, this means retrieving 45'000
search results from the LDAP server.

Directory services like LDAP or Winbind allow queries to have filters,
enabling us to write a much more efficient implementation. The attached
patches (nss-getgroupmembership-try9.diff for FreeBSD 6,
nss-getgroupmembership-fbsd7-try3.diff for FreeBSD 7) use an nss
module's getgroupmembership(3) function if available. Otherwise it uses
a fallback which then uses the old algorithm with some modifications.
After applying it, getgrouplist(3) takes only a few milliseconds to
retrieve all groups of a user.

Another patch, attached as bsdnss.diff, is needed for nss_ldap. It
applies to the ports/net/nss_ldap/files/bsdnss.c file and exports the
required getgroupmembership function. Most of the code there is from
NetBSD.

The basic idea of getgroupmembership(3) has been taken from [1] and
NetBSD, where it's already implemented. Thanks to Matthijs Kooijman for
his preliminary work[2], testing with Winbind and support. A need for
this code seems to have been around since some time already; the first
reference[3] I've found being in March 2006.

What do you think about the code? Is it usable? If not, I'm open to
provide fixes. If yes, please apply it.

Development of these patches is being sponsored by Hostpoint AG,
http://www.hostpoint.ch/. They use currently use FreeBSD 6.2 and would
like to see this patch being applied there, too.

Greets,
Michael

[1] http://osdir.com/ml/netbsd.devel.userlevel/2004-12/msg00001.html
[2] http://lists.freebsd.org/pipermail/freebsd-current/2006-May/063548.html
[3] http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061413.html

Received on Mon Jul 16 2007 - 17:22:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC