[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] AccessSpace NIS



On Fri, 30 Mar 2001 home [at] alexhudson.com wrote:

> On Fri, Mar 30, 2001 at 07:52:22PM +1000, Matthew Palmer wrote:
> > > 40 seconds?!?!? In my experience, LDAP has _always_ beaten the pants off
> > > of anything it's been put against. Have you tried an ldapsearch from the
> > 
> > It doesn't take 40 seconds to complete a search - usually 2-3 seconds.  The
> > full 40 seconds is taken up by normal processing, as well as the multitude
> > of lookups that need to be done to complete a login.
> 
> Wow. The way it's always worked for me, is that the PAM module just requests
> the user info about the user, and that's the only lookup it does via LDAP. 

Erm, add libnss_ldap, and it gets mighty slow...

> > The bottleneck is, I think, RAM - the database is learge enough to overflow
> > physical RAM, and so we have the ol' swap problem.
> 
> Yes, that sounds reasonable, although you must either have a very big
> database or not much RAM :) Complex data structures are often not

16MB, and it's also doing DNS and Kerberos.

> particularly well suited to swapping - related data is not necessarily
> stored together, and I imagine LDAP uses a red/black tree, or AVL, or
> something. Plus, they're often optimized for speed - which means any space
> efficiency usually goes to the wall :) 

Yup.  We usually run with about 20MB of swap being used.  With all those
considerations... yes, we're very short of RAM.

> > The main reason OpenAFS isn't in the kernel (and never will be) is that it's
> > not GPLed, or even (AFAIR) DFSG-free.  It's under an IBM open-source
> > licence, which, as with most of these sorts of things, is only just 'free as
> > in beer', and certainly isn't speech-free.
> 
> Yep, that makes sense. That's shame, Linux could do with a good network file
> system :(

We do, it just isn't really available to the world at large.

> > My only gripe with AFS is that it is depressingly reliant on Kerberos 4, not
> > my favourite authentication scheme.  There is talk of Krb5 migration for
> > OpenAFS, but it's not coming any time soon.
> 
> That's another shame :( I might have to give AFS a whirl at some point,
> though, it sounds good.

Both Heimdal and MIT Kerberos 5 have the ability to pretend to be a
kaserver, so you're capable of playing with hte two together.  You just
can't play Krb5 only sites...

> > Replication under 1.2.11 isn't a doddle - it just doesn't work.  It doesn't
> > follow it's own specifications as to the replog format.  Clever, huh?
> > 
> > I'm currently trying to make 2.0.7 work, to see if it's any happier.  I'm
> > hitting a nasty brick wall with my ldapsearch, though - it keeps giving me
> > "No such object" errors, no matter what Base DN and search filter I supply. 
> > Any ideas?  If you're on the openldap-software list, you'll see my question
> > there... <g>
> 
> Hmmm, not sure. I've only really used openldap 2, and never had _any_
> problems replicating. Well, that is, it only supports simple binding - if
> you want to modify information, you have to simple bind to the master server
> - slave ldap servers are not able to refer, or the tools they provide don't
> follow referrals. I remember sorting the authentication between the two
> servers wasn't necessarily easy though..

Worked out the OLDAP 2 problem - Debian faff-up.  Replication hasn't been
tried, but will be worked on.

The referral problem is one of binding after the referral - referrals are
followed with an anonymous bind.  Problem.  No solution AFAIR.

> > Thanks.  Luckily, I have the god of editors (joe), which handles these sorts
> > of brokennesses with a ^K J...
> 
> I've just export VISUAL=jpico; export EDITOR=jpico (I know pico bindings :)

I did, once.  Now I refuse to try and remember them...


-- 
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.