On Thu, 6 Oct 2011, Stephen Harris wrote:
> On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote:
>> place, I think it's hard to list *any* honest advantages over LDAP. Sorry, I
>> don't consider performance to be a credible advantage, especially after
>> nscd/sssd have had their way with caching results.
>
> Then you've never seen Veritas Cluster Services fall over 'cos of the amount
> of time it takes to do initgroup() stuff (VCS loves to su to oracle to
> verify the DB is up; the su takes too long 'cos this is a complete scan of
> the group map and nscd don't help, here; DB failover occurs).
As I said with my nscd/sssd comment, you need a client that's not total crap.
nss_ldap isn't up to dealing with large ldap setup, especially with nested
groups. sssd 1.6.1, suitably configured *is* up to it. I've tested it with
give or take 100k users and 100k groups. nscd with nss_ldap isn't up to it,
as the caching is done at the wrong time, and it doesn't understand anything
about LDAP. I've seen ssh time out with a nss_ldap setup due to a slow
initgroups. Your only option there is:
nss_getgrent_skipmembers true
That gets your performance up to a pretty tasty level, but it *will* break
some things.
sssd correctly configured gets you to only a small distance behind that setup,
but without the breakage, and it handles failures of LDAP servers *much*
better.
> You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all
> the temporary ports 'cos nscd doesn't cache serv-by-port values when each
> request is a new port number.
nscd is a pile of pants, I fully accept.
> You've never seen...
>
> Oh, never mind.
>
> LDAP (being TCP connection oriented) is a world of hurt when it comes
> to stability and performance in any large environment. NIS, being UDP,
> allows you to just "run". (By large, I'm talking 30,000 client machines
> on 5 continents).
So with sssd you're looking at persistent connections, sensible failover
between servers, and caching that understands the reality of ldap, not just
the NSS level. It really is a different world to be playing in. I'd been
longing for a better solution, but wasn't totally sold on the nss_ldapd stuff
that was lurking. sssd, and the winning attitude of the developers to
addressing problems has been a revolution to me. Caching that happens
*before* your cache expires... Seriously, sssd ticks so many boxes. If
you've not had a look at sssd, *do*, and by all means drop me a line or on the
sssd mailing list if you have problems. It's *not* perfect, but from my
perspective it's so far towards right I can forgive all the problems.
> This is true. NIS security is awful. Which is why we use LDAP :-)
;)
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
