From: Andreas Hasenack (no email)
Date: Fri Jun 02 2006 - 09:53:05 EDT
On Fri, Jun 02, 2006 at 03:42:14PM +0200, Simon Matter wrote:
> > On Fri, Jun 02, 2006 at 10:31:46AM +0200, Brasseur Valéry wrote:
> >> I have seen in the code that when you want to use groups in ACL for
> >> cyrus,
> >> the group is a UNIX one ... (calling setgrent, getpwnam ... )
> >> Is there a a way to use LDAP groups instead ...
> >
> > If you use nss_ldap, then cyrus will be using ldap groups without even
> > knowing
> > about it.
> >
> > But you may have performance problems if cyrus uses group enumeration,
> > that's
> > expensive in ldap.
>
> Usually you could use nscd to cache but nss_ldap group lookups don't work,
> and they really are slow with large groups. Therefore, I have implemented
> (I mean hacked) a groupcache feature for cyrus-imapd which is included in
> my rpms. Let me know if you are interested and don't want to exctract them
> from the source rpm.
A better approach would be to get rid of group enumeration function calls and
use a better way to discover to which group an user belongs. There are
functions in glibc that do this nicely, and nss_ldap translates them into quick
ldap queries.
---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|