Re: performance problem in auth_unix.c:auth_newstate()

From: Gary Mills (no email)
Date: Sat Jun 29 2002 - 12:04:22 EDT


On Sat, Jun 29, 2002 at 10:15:08AM -0500, Amos Gouaux wrote:
>
> I take it this is on Linux, right? This has been an interesting
> discussion (one of many!) because on our Solaris box we're
> currently using nsswitch to do the LDAP lookups for us. We do
> use 'group:' in the ACL of some of our student-specific shared
> folders. Performance got to be so bad that I had to dump the group
> entries into /etc/group and change nsswitch.conf to 'group: files'.
> While this works, I sometimes forgot to update that file. ;-)

Solaris 9 and recent versions of Solaris 8 include this information
in the `nss' man page:

     /etc/default/nss supports the following options:

     NETID_AUTHORITATIVE
           Changes the behavior of the name service lookups to
           use the netid table in response to the initgroups(3C)
           call. The netid table is provided by the LOCAL entries
           of the NIS+ cred.org_dir table. By default, init-
           groups() uses the group table. When
           NETID_AUTHORITATIVE is set to TRUE, initgroups() will
           use netid as the source for supplementary groups
           rather than the group table.

           The name service administrator must ensure that the
           netid table contains valid supplementary group infor-
           mation for users. Not all name services can automati-
           cally keep the members listed in the group table in
           sync with the netid table.

Using this feature should greatly improve performance with large
group maps, provided of course that the NSS back end supports queries
against the netid map. I've also written a preloadable library
that has the same effect on the initgroups() function.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD