[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)



On Wed, 13 Oct 2004 23:23, Wouter Verhelst <wouter@grep.be> wrote:
> > > This is not the case for Debian; and yes, we already do have local fast
> > > DB caches (using libnss-db).
> >
> > That's an entirely different issue.
>
> No, it's not, not in this case anyway.
>
> > libnss-db is just for faster access to /etc/passwd.
>
> You are mistaken. In the FreeBSD implementation, it is; however, the
> Linux implementation allows other things to be done with it.
>
> For instance, my /etc/default/libnss-db contains the following lines:
>
> ETC = /root/stage
> DBS = passwd group shadow

shadow is part of the passwd setup.  group does no good on most systems (on my 
system /etc/group is only 70 lines and the database gives no benefit).

> I also have a script which creates (incomplete (as in, without system
> users)) files /root/stage/{passwd,shadow,group} containing just the user
> and group records that are in LDAP. Next, /etc/nsswitch.conf contains
> the following:
>
> passwd:         db compat
> group:          db compat
> shadow:         db compat

So what's the point of having LDAP if you are going to manually copy flat 
files around?

> > The implementation in Linux is fairly poor however, it doesn't even
> > stat /etc/passwd to see if it's newer than the db.
>
> That's a feature, not a bug. Unless you want it to check 'the passwd
> file' as it is defined in /etc/default/libnss-db (or another
> configuration file), in which case it would indeed be a good idea.

If you want the database to be in sync with the flat file and be usable 
without gross hacks as it is in AIX then it's a serious bug.

> > The performance gain isn't as good as you would expect either.
>
> Been there, done that.
>
> IME, doing this kind of thing is *way* faster than using libnss-ldap.

Way faster than a non-local LDAP.  But not significantly faster than flat 
files unless you have >10,000 users (which isn't the case for Debian).

> An added bonus is that the libnss-db Makefile will not update the .db
> files if the original ones are empty; so if the LDAP daemon dies or is
> unavailable for some reason, my users can still login, even after the
> next time the cronjob runs. This is not the case with libnss-ldap, AIUI.

True.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



Reply to: