From: Gary Mills (no email)
Date: Sat Jun 29 2002 - 12:04:22 EDT
On Sat, Jun 29, 2002 at 10:15:08AM -0500, Amos Gouaux wrote:
> I take it this is on Linux, right? This has been an interesting
> discussion (one of many!) because on our Solaris box we're
> currently using nsswitch to do the LDAP lookups for us. We do
> use 'group:' in the ACL of some of our student-specific shared
> folders. Performance got to be so bad that I had to dump the group
> entries into /etc/group and change nsswitch.conf to 'group: files'.
> While this works, I sometimes forgot to update that file. ;-)
Solaris 9 and recent versions of Solaris 8 include this information
in the `nss' man page:
/etc/default/nss supports the following options:
Changes the behavior of the name service lookups to
use the netid table in response to the initgroups(3C)
call. The netid table is provided by the LOCAL entries
of the NIS+ cred.org_dir table. By default, init-
groups() uses the group table. When
NETID_AUTHORITATIVE is set to TRUE, initgroups() will
use netid as the source for supplementary groups
rather than the group table.
The name service administrator must ensure that the
netid table contains valid supplementary group infor-
mation for users. Not all name services can automati-
cally keep the members listed in the group table in
sync with the netid table.
Using this feature should greatly improve performance with large
group maps, provided of course that the NSS back end supports queries
against the netid map. I've also written a preloadable library
that has the same effect on the initgroups() function.
-- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-