[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Sheflug Meeting / AccessSpace NIS
On Fri, 30 Mar 2001 home [at] alexhudson.com wrote:
> On Fri, Mar 30, 2001 at 10:38:11AM +1000, Matthew Palmer wrote:
> > > The way I've set things up in the past is this. Account access /
> > > authentication over a network done over LDAP - you can get a PAM module
> > > which plugs in, and then you just pop all the account information into
> >
> > I can say from experience that LDAP auth is *not* a lightweight solution
> > when running on Access Space's hardware. I've implemented it here in the
> > IEEE lab, and the server is running on a 486. Logins can take up to 40
> > seconds to complete. Not a pretty sight.
>
> 40 seconds?!?!? In my experience, LDAP has _always_ beaten the pants off
> of anything it's been put against. Have you tried an ldapsearch from the
> command line to verify it's actually taking that long for slap to find the
> information? I would be *really* surprised if it was actually taking that
> long to pull information out of the database... even big databases .. but,
> that said, I've never tried it on such hardware, so I'm willing to accept
> that could be. I'd be really interested to know the bottleneck though - I
> would assume it's not CPU?
It doesn't take 40 seconds to complete a search - usually 2-3 seconds. The
full 40 seconds is taken up by normal processing, as well as the multitude
of lookups that need to be done to complete a login.
The bottleneck is, I think, RAM - the database is learge enough to overflow
physical RAM, and so we have the ol' swap problem. The holdup in the code
is ACL checking - it uses a (seemingly) very inefficient algorithm to check
all the entries. For every entry in the database, it applies it's ACL
checks, even if it's just to see if an entry matches. Very borken in this
situation.
> > Argh! OpenAFS to the rescue.
> >
> > My dream system is LDAP for the account info, Kerberos for the
> > authentication, and AFS for the home directories.
>
> Is OpenAFS stable enough for that kind of nonsense yet though?? I
> generally wouldn't use something unless it was in the mainline kernel,
> but, I suppose it's definitely worth a play - it certainly doesn't look
> shoddy, that's for sure, and probably beats the pants off of NFS (not hard
> :)
The main reason OpenAFS isn't in the kernel (and never will be) is that it's
not GPLed, or even (AFAIR) DFSG-free. It's under an IBM open-source
licence, which, as with most of these sorts of things, is only just 'free as
in beer', and certainly isn't speech-free.
It's a stable technology, and the code base is directly taken from the
commercial software developed by Transarc and just opened up. There was
even a solution for Linux back when it was closed-source, too - RedHat
oriented, but there we are.
My only gripe with AFS is that it is depressingly reliant on Kerberos 4, not
my favourite authentication scheme. There is talk of Krb5 migration for
OpenAFS, but it's not coming any time soon.
> > LDAP is a relatively easy technology to make happen. The concepts are
> > tough, but the servers are pretty easy to make happen.
>
> Yeah, even replication is a doddle, it's just the schema that are
> horrendous :)
Replication under 1.2.11 isn't a doddle - it just doesn't work. It doesn't
follow it's own specifications as to the replog format. Clever, huh?
I'm currently trying to make 2.0.7 work, to see if it's any happier. I'm
hitting a nasty brick wall with my ldapsearch, though - it keeps giving me
"No such object" errors, no matter what Base DN and search filter I supply.
Any ideas? If you're on the openldap-software list, you'll see my question
there... <g>
> PS. Next post will be wordwrapped, I promise....
Thanks. Luckily, I have the god of editors (joe), which handles these sorts
of brokennesses with a ^K J...
--
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.