Re: slow group membership lookup

On 14. sep. 2006, at 03.00, Joe Lin wrote:

> I am using nss-ldap to resolve users and groups using ldap. However,
> when I run 'id' command to resolve a userid (eg. id dodo1682), it  
> takes
> a really long time. So, I did a strace id dodo1682 and found that  
> it is
> searching for all groups in ldap. ie:
>
> objectClass=posixGroup
>
> Is there a way to prevent it from searching all the groups from entire
> ldap directory? I have looked at the nss-ldap archives and not  
> found any
> authoritive answers on this, only a patch from 2003.
>
> Any help on this matter is appreciated.

nss_ldap has support for the initgroups_dyn interface to allow swift  
group lookups by username.

If your system lacks this or a compability layer, it has to revert to  
reading all the groups from the database to determine membership.

This really does not work very well with even a modest number of  
groups, so if there is no way of  getting this to work on your  
system, I would either drop having per-user groups in the directory,  
or disable ldap group lookups in nsswich.conf and hope for future  
support :-)

--
Frode Nordahl