Performance issues with large groups on eDirectory

Hi!

I'm managing a bunch of systems that authenticate and fetch user data
from Novell eDirectory. 

With current (well, almost, nss_ldap release 234) version of nss_ldap,
I've noticed that there is an almost constant flow of LDAP queries
from the systems (they have many users). Digging around, I've seen
that the queries are of the type

base: <full DN of a user>
filter: (objectclass=*)

This kind of query is generated by _nss_ldap_dn2uid, which is called
when I do for example 'groups <username>' to verify each user in a
group. Groups are groupOfUniqueName objects with 'member' that contain
the DN of each member. 

The DNs of users are on the form cn=<username>,<somewhere in the
tree>.

With earlier versions of nss_ldap, there was not that many questions
to verify which user each DN object pointed to as there is now. I
suspect that there's been changes in nss_ldap that causes the high
amount of queries. More specifically:

* Earlier, I had 'nss_map_attribute uid cn' in my ldap.conf on the
  clients. This made nss_ldap understand that a 'cn=<username>' was
  a user object, so there were no need to look it up - nss_ldap could
  just return that <username> was a member of this group. This doesn't
  seem to work anymore.

* If I read the source code, the dn2uid cache is per process and
  volatile, while it was earlier per system and persistent, or am I
  wrong? This means more lookups on multi-user systems. 

Any hints on how to get acceptable performance in eDirectory
environments would be highly appreciated. 

Cheers,
\EF
-- 
Erik Forsberg                OpenSource-based Thin Client Technology
Systems Analyst/Developer    Phone: +46-13-21 46 00    
Cendio AB                    Web: http://www.cendio.com