[Wylug-discuss] Linux authentication against Windows active directory

John Hodrien johnh at comp.leeds.ac.uk
Mon Apr 21 13:02:42 BST 2008


On Mon, 21 Apr 2008, Nigel Metheringham wrote:

> As in winbind would be giving better performance. Have you any pointers as
> to where I could learn more about this?

If you're not getting inadequate performance, then you'll find krb5 + nss_ldap
is more reliable so I'd stick with it.  I'm talking from experience with ~80k
users and 15k groups.  Too much code assumes that walking the entire passwd or
group file is fast.  groupadd for example is terrible.  Say you do:

groupadd -g 30 testgroup

Now you want to avoid clashing with an existing group, so if it was me, I'd
perhaps check for gid 30 existing already, and group testgroup.  Even that
I'm not sold on by the time you're talking to a remote directory server, but
hey.

What I *wouldn't* do <snipped>:

setgrent ();
while ((grp = getgrent ())) {
     if (strcmp (group_name, grp->gr_name) == 0)
       // bail out

     if (gflg && group_id == grp->gr_gid)
       // bail out
}

Doesn't really scale...

Quite a few people have misgivings:
http://code.google.com/p/nsscache/wiki/MotivationBehindNssCache

Finding meaningful information on this in general is, as you've already found,
rather tricky.

I've found that as long as nss_ldap can easily tell what a group or a user is
from the dn (3x performance boost for a call to id), and that it doesn't fully
enumerate users/groups (means getent passwd/group just returns local
accounts), then the performance is fine for anything except calls to
initgroups which is unfortunately slow.  I've not yet devised a way of
speeding that up (and in fact I'm unconvinced it's even possible).

> It might - its explicitly something we don't care about at present, so I 
> haven't tested :-)

Yes, it wasn't something I tested either until I found an obscure desire to do
it, and found it already worked, as long as you don't rely on the msSFU
password being correct...

jh

-- 
"No one can be as calculatedly rude as the British, which amazes Americans,
  who do not understand studied insult and can only offer abuse as a
  substitute."                                        -- Paul Gallico



More information about the Wylug-discuss mailing list