Hi,
I spent a good deal of time trying to get LDAP authentication working.  
Actually the authentication was fairly easy, but I wanted my LDAP server 
to use a MySQL backend: that was a little more complicated.  In any 
case, after setting it all up, I tore it all down again because the 
performance was terrible.  I had 3 redhat servers and a database of 
about 4000 users, and PAM would do very screwy things like request a 
list of all the groups whenever a user logged in -- and the way LDAP 
responds, it'd take the server at least several minutes to serve up the 
resulting list.  PAM could have been much more optimized to make this 
work better, but in my situation I ended up better off with a "custom 
solution".  I wrote a crontab that would regenerate the local passwd and 
shadow files on each server every couple minutes from the MySQL database 
(yes, every couple minutes is fairly often, but it was still much less 
CPU time than what LDAP would be doing).  It was also much less coding 
in the long run, because making everything work with LDAP would have 
been a lot harder than just making everything work with itself, if you 
know what I mean.

LDAP is nice, but depending on how many users you have, it may not be 
efficient enough to do what you need done.  I'm happy to talk to you 
about more specific things, but I guess my immediate recommendation is 
to strongly consider why you want to use LDAP as a standard before 
jumping into it.

-- Ken Gourlay
-- Chain Communicaitons, Inc.


On Tuesday, July 23, 2002, at 06:56 PM, Drew Smith wrote:

>
>       Hey folks,
>
>       I'm considering implementing LDAP authentication across our network of
> about 15 Red Hat machines.  Problem is, I've never really used LDAP or
> been in an environment that uses it.

Reply via email to