LDAP-nss - was unwanted loading of libnss_nis.so in etch
On Monday 19 February 2007 02:52, Petter Reinholdtsen <pere@hungry.com> wrote:
> > Can't you change the timeout? According to the comment in my
> > libnss-ldap you can:
>
> Sure. But reducing it to a value where it is usable would render the
> timeout useless. It would have to be <5 seconds, and that almost
> equivalent to connecting to all the servers at once and picking the
> quickest responder. I would rather have a system where all the
> available LDAP servers are tested regularly, and the
> best/quickest/available ldap server is used by nss_ldap when a program
> request nss info. Like ypbind is doing today, checking NIS servers
> every 15 minutes or when a client report connection problems, and thus
> making sure a client survive network splits as long as at least one
> NIS server is available.
I have been thinking about this for a while. The only option that has
occurred to me which seems viable is to have some sort of LDAP proxy which
knows a reasonably fast server and keeps sending requests to it. It could
even have a connection kept open all the time for fast response. Of course
if proxying such data then the next obvious thing to do is to cache it as
well.
NSCD is designed as a proxy/cache for account data. Could NSCD do this?
Of course you still have lookups from PAM and from applications that do LDAP
queries so having an LDAP cache on localhost will still provide some
benefits.
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Reply to: