From owner-freebsd-current@FreeBSD.ORG Tue Aug 19 14:15:08 2014 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D28D22E; Tue, 19 Aug 2014 14:15:08 +0000 (UTC) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C944933D8; Tue, 19 Aug 2014 14:15:07 +0000 (UTC) Received: from mh0.gentlemail.de (mh0.gentlemail.de [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id s7JEF3Dk000211; Tue, 19 Aug 2014 16:15:03 +0200 (CEST) (envelope-from h.schmalzbauer@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 111EF374D; Tue, 19 Aug 2014 16:15:03 +0200 (CEST) Message-ID: <53F35BE6.9010905@omnilan.de> Date: Tue, 19 Aug 2014 16:15:02 +0200 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Eric van Gyzen Subject: Re: nscd not caching References: <20140817152202.6ec8e374.ohartman@zedat.fu-berlin.de> <2295097.hWnAh3kd1o@overcee.wemm.org> <53F34DA3.70609@omnilan.de> <53F35390.2060503@vangyzen.net> In-Reply-To: <53F35390.2060503@vangyzen.net> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig948005350160D269C1B3BD93" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Tue, 19 Aug 2014 16:15:05 +0200 (CEST) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) Cc: "O. Hartmann" , freebsd-current@freebsd.org, "Eggert, Lars" , "current@freebsd.org" , Peter Wemm X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 14:15:08 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig948005350160D269C1B3BD93 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Bez=FCglich Eric van Gyzen's Nachricht vom 19.08.2014 15:39 (localtime):= > On 08/19/2014 09:14, Harald Schmalzbauer wrote: >> =85 >>> At least that's what we found in the freebsd.org cluster. nss-pam-ld= apd was=20 >>> two or three orders of magnitude more usable and got rid of nscd in t= he=20 >>> process. >>> >>> For us, nscd "worked", but it just didn't save much effort because it= was a=20 >>> per-uid cache. ie: if "jkh" had just caused a ldap search, and "pete= r"=20 >>> repeated it, it had to be done again from scratch. >>> >>> The downside for nss-pam-ldapd was that it uses a non-extensible wire= protocol=20 >>> and didn't have room for bsd-style login classes. >> This exactly refelcts my experiences too, which is why I'm wondering i= f >> net/nss-pam-ldapd is a serious base candidate. >> When nscd showed up (arround 7.0-Release if I remember correctly), it >> was a big and highly appreciated improovement for me, reducing >> interactivity lags of gnome e.g. by at least a factor of 4 for usual >> desktop user tasks when user database was LDAP driven. >> At that time there were rumors that FreeBSD needs LDAP user-database >> support, but with the glitches of net/nss_ldap, it seemed that there's= >> no ready-to-implement solution at that time. >> Things changed completely with net/nss-pam-ldapd. Haven't had any >> negative experiences with single-LDAP backend networks. Haven't had bi= g >> environments yet either, but I think it's time to think about >> base-LDAP-support again. net/nss-pam-ldapd is GPL licensed, so I guess= >> it won't get into base, but it was a great template, is it? > +1 for nss-pam-ldapd. We were using nss_ldap+pam_ldap, but switched to= > nss-pam-ldapd. It's much faster and very reliable. We have several > multi-user FreeBSD systems (build servers, doing lots of lookups), > dozens of concurrent users and hundreds of total users, and Active > Directory servers. > > The way nss_ldap links the LDAP libraries into every process is not jus= t > inefficient: it can be fatal. Thunderbird includes (or formerly > included?) its own private LDAP libraries. These conflicted with those= > used by nss_ldap, so that Thunderbird would often crash. I don't know > if this is still a problem, but it's not /my/ problem anymore. > > As for the base system, "pkg install nss-pam-ldapd" is embarrassingly > easy and /much/ easier than adding to the base system. 'pkg install' is incredibly convenient these days, for sure, but in my world, hosts that don't need internet acces don't have internet access (4 out of 5). To make things worse, nfs exports aren't root-mapped (other than the default nobody:nobody), so I quiet often have the case that I have to provide net/nss-pam-ldapd via ISO-9660 image (for VMguests) or CD-media. That's not so convenient. Another limitation of 'pkg install' is that I can't influence what to install. Sometimes I want nss_ldap without pam_ldap. Therefore I'd need a compiler (somthing my production machines don't have) and ports, which in my case can't be fetched from internet nor from the NFS server (the latter has to be entered as LDAP user=85) That's why I'd love to see base system LDAP support =96 I think it's very= important to be able to setup a network computer in networks, which aren't interconnected with other networks/internet; these days more important ever since possible=85 -Harry --------------enig948005350160D269C1B3BD93 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlPzW+YACgkQLDqVQ9VXb8iwSQCbBNenmFrJ9ukNGGqYCkqu4Mkx sT0AoJ8rPIEvmHQc4XpF63EtBQmN4/eJ =Cq/L -----END PGP SIGNATURE----- --------------enig948005350160D269C1B3BD93--