5.x, LDAP and caching uid/gid data

[Ben Hockenhull]

At 1:24 PM -0500 6/8/05, Tony Shadwick wrote:

>On Wed, 8 Jun 2005, Ben Hockenhull wrote:
>
>> We're in the midst of implementing a couple of FreeBSD servers, each
>> containing about 5k users, with authentication against LDAP.  We're using
>> PADL's nss_ldap and pam_ldap modules, and while things work well, I'm
>> looking for ways to improve performance and reduce active queries against
>> LDAP.
>>
>> There's no user information on the local system at all, so every operation
>> that requires UID/GID information had to do an LDAP lookup to get UID/GID
>> data.  So, for example, every piece of mail delivered means an LDAP lookup.
>> Ick.
>>
>> Is there such a thing as nscd for FreeBSD, and if so, has anyone had
>> experience using it?  I found a lookupd utility that looks promising, but
>> I'm leery of implementing it in production as it seems like fairly untested
>> software.
>>
>> Failing nscd or a similar thing, are there other ways I can cache this
>> infomration or otherwise improve performance?
>
>Hmm....
>
>Just based on my past experiences with NIS (working on learning LDAP as
>we speak), one would normally have SOME local user data.
>
>For example, a local sendmail user, a local root user, if you're running a
>MySQL daemon locally, you'd have a local mysql user.
>
>I think?  Someone could correct me if I'm wrong here, but I see little
>benefit from having the smmsp user being in ldap and not local to the
>machine.  Feel free to prove me wrong on this though. :)
>
>I'd still be interested in hearing about ldap caching, as it relates to me
>earlier question about laptop users and centralized auth.

I should have been a bit more explicit.  All system accounts (root, smmsp,
etc) are still local to the server, but any actual user accounts are in
LDAP, with no local passwd entries at all.

Ben