tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RFC: Going the LDAP/Kerberos way with NetBSD.
On 1-May-08, at 6:48 AM, Anders Magnusson wrote:
There has not been any suggestion at all to drop neither files nor
nsswitch.
Countrary, they play a significant role in NetBSD. The only things
in the "drop case" are:
- {s}pwd.db. Should not be needed at all anymore. Actually, I
think that using
just the files when <50 entries in the passwd file would be faster
than doing a
db lookup. Haven't tested though, but would be quick to do.
The point here is that if there are more than 50 users on the
system you probably
want a directory server on your machine.
There are several intertwined issues here.
First off, even on machines well over a decade old that number is
probably _MUCH_ higher, say closer to 100, or even 200, and that's
true even if they're running operating systems of the same era. I did
some careful tests for similar kinds of files on a 3B2/400 back in the
late 1980's and found that even sorting the file and using a binary
search was a waste of time, effort and complexity for fewer than at
least 300 records.
The second issue is complexity, and as an issue it has many
intertwined sub-issues. :-)
While direct sequential file access is clearly simple, it may not be
the simplest in terms of keeping system managers from doing stupid
things when it is only one of several lookup methods and especially
when there's more than one style of "local" lookup method.
The current *BSD practice of always stuffing everything into *.db
files (for the local lookup case) gives us the simplest possible way
of implementing (and managing) a method which is efficient for the
widest range of database sizes from the very small to the rather
large. More recently I did tests on Pentium-II class machines showing
that even 100,000 users can be handled efficiently with the current
setup (modulo some minor adjustments to the db parameters set by
pwd_mkdb).
What I'm gathering from this thread though is that some folks would
rather introduce a great deal more complexity for the majority of
users just to make things a little bit easier for the (relatively) few
cases where NetBSD machines will be required to work within some
networked environment which already provides LDAP directory services.
You really don't want to have to run any kind of directory server,
even one running locally on the same host, unless you really _must_
participate in a network where use of such a service is mandatory.
The unnecessary added complexity alone rules it out, never mind any
untested concerns about overhead and efficiency.
Personally I think the _only_ change that's acceptable would be one
which solely adds LDAP client support to nsswitch, and which does so
in such a way that its code is completely surrounded by an #ifdef such
as USE_LDAP (i.e. in the manner USE_YP should work). In fact I would
really very much like to have the option of choosing to use LDAP via /
etc/nsswitch.conf. In a perfect world it might even fit in using the
same kind of "compat"(ability) record as YP uses (eg. something like a
"+" in the user field to direct further queries to an LDAP server).
--
Greg A. Woods; Planix, Inc.
<woods%planix.ca@localhost>
Home |
Main Index |
Thread Index |
Old Index