Hello I was working with a company which plans to migrate its FreeBSD servers from using /etc/{passwd,group} to LDAP. They will have about 45'000 users and as much groups in the directory. Tests showed that any function retrieving the groups a user is member of, for example getgrouplist(3) or initgroups(3), is very slow. In our case, it was about 7 seconds per invocation. Further investigation showed how inefficient these functions are implemented through getgrouplist(3). FreeBSD's implementation loops through all groups and their members to check whether a user is member of it, in which case it adds the group to a list. In our case, this means retrieving 45'000 search results from the LDAP server. Directory services like LDAP or Winbind allow queries to have filters, enabling us to write a much more efficient implementation. The attached patches (nss-getgroupmembership-try9.diff for FreeBSD 6, nss-getgroupmembership-fbsd7-try3.diff for FreeBSD 7) use an nss module's getgroupmembership(3) function if available. Otherwise it uses a fallback which then uses the old algorithm with some modifications. After applying it, getgrouplist(3) takes only a few milliseconds to retrieve all groups of a user. Another patch, attached as bsdnss.diff, is needed for nss_ldap. It applies to the ports/net/nss_ldap/files/bsdnss.c file and exports the required getgroupmembership function. Most of the code there is from NetBSD. The basic idea of getgroupmembership(3) has been taken from [1] and NetBSD, where it's already implemented. Thanks to Matthijs Kooijman for his preliminary work[2], testing with Winbind and support. A need for this code seems to have been around since some time already; the first reference[3] I've found being in March 2006. What do you think about the code? Is it usable? If not, I'm open to provide fixes. If yes, please apply it. Development of these patches is being sponsored by Hostpoint AG, http://www.hostpoint.ch/. They use currently use FreeBSD 6.2 and would like to see this patch being applied there, too. Greets, Michael [1] http://osdir.com/ml/netbsd.devel.userlevel/2004-12/msg00001.html [2] http://lists.freebsd.org/pipermail/freebsd-current/2006-May/063548.html [3] http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061413.html
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC