[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password file with over 3000 users.

--On September 19, 2007 9:35:50 AM +1000 Craig Sanders <cas@taz.net.au> wrote:

NOTE: LDAP is also a good alternative, but a *LOT* more work to set up.
libnss-db is a simple way to speed up what already works by putting the
passwd etc files into hashed database files.

I will totally agree there and for a single system LDAP can be severe overkill. libnss-db is exactly what i was mentioning in my just previous email.


PS: this works.  i did this several years ago on one server when the
number of accounts grew to about 5000.  there is one small catch - with
the cron job running every 5 minutes, there is a small window of time
when the source files in /etc have been updated but the .db versions
haven't been regenerated yet.

the nsswitch.conf file will check both the db and the original source
files in order, so it does not prevent new accounts from logging in.  for
account deletions, however, the deleted account will still work until the
.db files are regenerated.  similarly, password changes will not take
effect immediately.

actually, it's been years - i can't remember if only the old password
(in /var/lib/misc/shadow.db) works, or if both the old (shadow.db) and
new (/etc/shadow) password will work. either way, that's only until the
cron job runs make again (i.e. at most, up to 5 minutes. or less if you
have cron run make more frequently).

if you have written scripts to assist with account
creation/deletion/changing, you could easily modify them to run "cd
/var/lib/misc ; make" after any change, thus eliminating the delay.

you still want the cron job, though, in case there are other ways for a
password to be changed - shell login by users or poppassd or samba, for

craig sanders <cas@taz.net.au>

To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting

Reply to: