[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] AccessSpace NIS
On Fri, 30 Mar 2001 home [at] alexhudson.com wrote:
> On Fri, Mar 30, 2001 at 07:52:22PM +1000, Matthew Palmer wrote:
> > > 40 seconds?!?!? In my experience, LDAP has _always_ beaten the pants off
> > > of anything it's been put against. Have you tried an ldapsearch from the
> >
> > It doesn't take 40 seconds to complete a search - usually 2-3 seconds. The
> > full 40 seconds is taken up by normal processing, as well as the multitude
> > of lookups that need to be done to complete a login.
>
> Wow. The way it's always worked for me, is that the PAM module just requests
> the user info about the user, and that's the only lookup it does via LDAP.
Erm, add libnss_ldap, and it gets mighty slow...
> > The bottleneck is, I think, RAM - the database is learge enough to overflow
> > physical RAM, and so we have the ol' swap problem.
>
> Yes, that sounds reasonable, although you must either have a very big
> database or not much RAM :) Complex data structures are often not
16MB, and it's also doing DNS and Kerberos.
> particularly well suited to swapping - related data is not necessarily
> stored together, and I imagine LDAP uses a red/black tree, or AVL, or
> something. Plus, they're often optimized for speed - which means any space
> efficiency usually goes to the wall :)
Yup. We usually run with about 20MB of swap being used. With all those
considerations... yes, we're very short of RAM.
> > The main reason OpenAFS isn't in the kernel (and never will be) is that it's
> > not GPLed, or even (AFAIR) DFSG-free. It's under an IBM open-source
> > licence, which, as with most of these sorts of things, is only just 'free as
> > in beer', and certainly isn't speech-free.
>
> Yep, that makes sense. That's shame, Linux could do with a good network file
> system :(
We do, it just isn't really available to the world at large.
> > My only gripe with AFS is that it is depressingly reliant on Kerberos 4, not
> > my favourite authentication scheme. There is talk of Krb5 migration for
> > OpenAFS, but it's not coming any time soon.
>
> That's another shame :( I might have to give AFS a whirl at some point,
> though, it sounds good.
Both Heimdal and MIT Kerberos 5 have the ability to pretend to be a
kaserver, so you're capable of playing with hte two together. You just
can't play Krb5 only sites...
> > Replication under 1.2.11 isn't a doddle - it just doesn't work. It doesn't
> > follow it's own specifications as to the replog format. Clever, huh?
> >
> > I'm currently trying to make 2.0.7 work, to see if it's any happier. I'm
> > hitting a nasty brick wall with my ldapsearch, though - it keeps giving me
> > "No such object" errors, no matter what Base DN and search filter I supply.
> > Any ideas? If you're on the openldap-software list, you'll see my question
> > there... <g>
>
> Hmmm, not sure. I've only really used openldap 2, and never had _any_
> problems replicating. Well, that is, it only supports simple binding - if
> you want to modify information, you have to simple bind to the master server
> - slave ldap servers are not able to refer, or the tools they provide don't
> follow referrals. I remember sorting the authentication between the two
> servers wasn't necessarily easy though..
Worked out the OLDAP 2 problem - Debian faff-up. Replication hasn't been
tried, but will be worked on.
The referral problem is one of binding after the referral - referrals are
followed with an anonymous bind. Problem. No solution AFAIR.
> > Thanks. Luckily, I have the god of editors (joe), which handles these sorts
> > of brokennesses with a ^K J...
>
> I've just export VISUAL=jpico; export EDITOR=jpico (I know pico bindings :)
I did, once. Now I refuse to try and remember them...
--
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.