Hi, I spent a good deal of time trying to get LDAP authentication working. Actually the authentication was fairly easy, but I wanted my LDAP server to use a MySQL backend: that was a little more complicated. In any case, after setting it all up, I tore it all down again because the performance was terrible. I had 3 redhat servers and a database of about 4000 users, and PAM would do very screwy things like request a list of all the groups whenever a user logged in -- and the way LDAP responds, it'd take the server at least several minutes to serve up the resulting list. PAM could have been much more optimized to make this work better, but in my situation I ended up better off with a "custom solution". I wrote a crontab that would regenerate the local passwd and shadow files on each server every couple minutes from the MySQL database (yes, every couple minutes is fairly often, but it was still much less CPU time than what LDAP would be doing). It was also much less coding in the long run, because making everything work with LDAP would have been a lot harder than just making everything work with itself, if you know what I mean.
LDAP is nice, but depending on how many users you have, it may not be efficient enough to do what you need done. I'm happy to talk to you about more specific things, but I guess my immediate recommendation is to strongly consider why you want to use LDAP as a standard before jumping into it. -- Ken Gourlay -- Chain Communicaitons, Inc. On Tuesday, July 23, 2002, at 06:56 PM, Drew Smith wrote: > > Hey folks, > > I'm considering implementing LDAP authentication across our network of > about 15 Red Hat machines. Problem is, I've never really used LDAP or > been in an environment that uses it.