Bezüglich Peter Wemm's Nachricht vom 17.08.2014 19:18 (localtime): > On Sunday 17 August 2014 15:22:02 O. Hartmann wrote: >> Am Sun, 17 Aug 2014 13:09:10 +0000 >> >> "Eggert, Lars" <lars_at_netapp.com> schrieb: >>> Nobody using nscd? Really? >> I can only speak for myself and I stopped using nscd since the support is >> crap. >> >> A while ago (t > 1 1/2 years) I realised within a OpenLDAP environment, that >> when nscd is running, sometimes the system simple "forgets" about root - >> this is painful while installing/updating ports and getting interrupted >> with a weird error "unknown user root". >> >> nscd is supposed to be used in large environments where the cost for a user >> lookup, like in OpenLDAP, is worse. But obviously FreeBSD isn't used in >> that large environments with OpenLDAP and I'm wondering what the purpose of >> nscd is. > The other problem is that net/nss_ldap and security/pam_ldap have kind of been > left behind for performance and robustness. People who use this seriousy tend > to discover net/nss-pam-ldapd fairly quickly which has its own caching proxy > and eliminates the need for nscd. > > With nss_ldap and pam_ldap, the openldap client libraries and startup cost is > linked into every single binary that uses it. > > WIth pam-nss-ldapd, it's a simple unix domain socket (with peercred > authentication) and no heavy-weight libraries in the consumers. The proxy on > the other end of the socket keeps a ldap connection open (with an idle > timeout). The whole thing was vastly more robust and efficient. > > At least that's what we found in the freebsd.org cluster. nss-pam-ldapd was > two or three orders of magnitude more usable and got rid of nscd in the > process. > > For us, nscd "worked", but it just didn't save much effort because it was a > per-uid cache. ie: if "jkh" had just caused a ldap search, and "peter" > repeated it, it had to be done again from scratch. > > The downside for nss-pam-ldapd was that it uses a non-extensible wire protocol > and didn't have room for bsd-style login classes. This exactly refelcts my experiences too, which is why I'm wondering if net/nss-pam-ldapd is a serious base candidate. When nscd showed up (arround 7.0-Release if I remember correctly), it was a big and highly appreciated improovement for me, reducing interactivity lags of gnome e.g. by at least a factor of 4 for usual desktop user tasks when user database was LDAP driven. At that time there were rumors that FreeBSD needs LDAP user-database support, but with the glitches of net/nss_ldap, it seemed that there's no ready-to-implement solution at that time. Things changed completely with net/nss-pam-ldapd. Haven't had any negative experiences with single-LDAP backend networks. Haven't had big environments yet either, but I think it's time to think about base-LDAP-support again. net/nss-pam-ldapd is GPL licensed, so I guess it won't get into base, but it was a great template, is it? -Harry
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:51 UTC