[KLUG Members] Re: slow ldap authentication

[Joe Baker]

Komal Wrote:

>Date: Wed, 11 Jan 2006 14:55:21 +0530
>From: agencies_ad1 at sancharnet.in
>Subject: [KLUG Members] slow ldap authentication
>To: "The main KLUG mailing list." <members at kalamazoolinux.org>
>Message-ID: <1136971521.43c4cf011c09a at nwebmail.sancharnet.in>
>Content-Type: text/plain; charset=ISO-8859-1
>
>
>Hello
>Let me start this issue with a little background. We use Microsoft Active
>Directory as our LDAP server. Using validated Microsoft components (Microsoft
>Services For Unix) we have extended its LDAP schema to allow unix servers like
>unix to authenticate againt ADs LDAP server so that services like ssh, samba,
>su, ftp, etc can use the MS password db. I have had no issue woth RHEL 2 AS,
>RHEL 3 AS using these services. Everything has been great. I get fast lookups
>against AD for authentication when I su/ssh/ftp/smb as any AD user. Life is
>pretty good. When I use RHEL 4 AS, it works too, but there is a problem. If I
>ssh/ftp/su/smb as root or any local /etc/passwd user, the repsonse time is
>fast. If I su/ssh/smb/ftp as a LDAP user (after AD is using LDAP, just
>modified) the response time is ~15 seconds. If I enable nscd, the first
>su/ssh/ftp/smb attempt takes ~15 swconds. The subsequent attempts are almost
>instantaneous. On RHEL 2 AS and RHEL 3 AS, I do not even need nscd to speed up
>lookups against AD for su/ssh/ftp/smb. What is the problem with RHEL 4? I even
>did an up2date from U1 to U2 and this made no difference. Is there anything I
>can do to speed up this lookup? Again, RHEL AS 2 and 3 against the same AD
>server is always fast. It is just RHEL 4 that seems slow. Granted, on RH AS 2 I
>compiled nss and pam libraies to work with AD LDAP as RH AS. In other words,
>RHEL 2 and 3 does not work with Microsofts implementation of LDAP unless you
>update pam and nss libraries, not to mention openldap must be upgraded. On,
>RHEL4 everything works out of the box excpet for this lookup delay problem. Let
>me know as this is critical for an upcoming migration from RHEL AS 2 to RHEL 4
>AS
>
>Thanks
>
>Regards,
>
>Komal


Komal, might I suggest that the name resolution isn't setup properly on the machine with the 15 second delays.  Typically daemons on the system like to log the hostname that is making the connection, so the hosts file is consulted, then other services such as NIS, WINS, DNS and maybe even additional LDAP queries.  /etc/nsswitch.conf is typically the file that is used for configuring the order of presidence for these name resolver services.  Add on top of this that many LANS don't have a local DNS zone setup and you can begin to see that there is much room for improvement in the name resolution arena.

Try creating a client host name in /etc/hosts on the slow server like this

192.168.0.35	testhostname.nelfc.com

And then initiate a SSH, FTP, SMB connection from .35 and see if that helps.  If not, then I'm likely wrong in my guess.

Good Luck Komal,

-Joe Baker
Burlington, Wisconsin
http://www.burlingtonlinux.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.kalamazoolinux.org/pipermail/members/attachments/20060111/2c2bbdb1/attachment.html