Re: slow group membership lookup

Hi,

in regard to initgroups_dyn, how am I suppose to enable it? Do I have to
modify the nss-ldap source code or is there anything to be done in the
libnss_ldap.conf?

Any help on this is appreciated.

Cheers,

Archur



Frode Nordahl wrote:
> 
> On 14. sep. 2006, at 03.00, Joe Lin wrote:
> 
>> I am using nss-ldap to resolve users and groups using ldap. However,
>> when I run 'id' command to resolve a userid (eg. id dodo1682), it  
>> takes
>> a really long time. So, I did a strace id dodo1682 and found that  
>> it is
>> searching for all groups in ldap. ie:
>>
>> objectClass=posixGroup
>>
>> Is there a way to prevent it from searching all the groups from entire
>> ldap directory? I have looked at the nss-ldap archives and not  
>> found any
>> authoritive answers on this, only a patch from 2003.
>>
>> Any help on this matter is appreciated.
> 
> nss_ldap has support for the initgroups_dyn interface to allow swift  
> group lookups by username.
> 
> If your system lacks this or a compability layer, it has to revert to  
> reading all the groups from the database to determine membership.
> 
> This really does not work very well with even a modest number of  
> groups, so if there is no way of  getting this to work on your  
> system, I would either drop having per-user groups in the directory,  
> or disable ldap group lookups in nsswich.conf and hope for future  
> support :-)
> 
> --
> Frode Nordahl
> 
> 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/slow-group-membership-lookup-tf2269245.html#a6355651
Sent from the NSS LDAP forum at Nabble.com.