tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.



On 1-May-08, at 6:48 AM, Anders Magnusson wrote:

There has not been any suggestion at all to drop neither files nor nsswitch. Countrary, they play a significant role in NetBSD. The only things in the "drop case" are: - {s}pwd.db. Should not be needed at all anymore. Actually, I think that using just the files when <50 entries in the passwd file would be faster than doing a
 db lookup.   Haven't tested though, but would be quick to do.
The point here is that if there are more than 50 users on the system you probably
 want a directory server on your machine.

There are several intertwined issues here.

First off, even on machines well over a decade old that number is probably _MUCH_ higher, say closer to 100, or even 200, and that's true even if they're running operating systems of the same era. I did some careful tests for similar kinds of files on a 3B2/400 back in the late 1980's and found that even sorting the file and using a binary search was a waste of time, effort and complexity for fewer than at least 300 records.

The second issue is complexity, and as an issue it has many intertwined sub-issues. :-)

While direct sequential file access is clearly simple, it may not be the simplest in terms of keeping system managers from doing stupid things when it is only one of several lookup methods and especially when there's more than one style of "local" lookup method.

The current *BSD practice of always stuffing everything into *.db files (for the local lookup case) gives us the simplest possible way of implementing (and managing) a method which is efficient for the widest range of database sizes from the very small to the rather large. More recently I did tests on Pentium-II class machines showing that even 100,000 users can be handled efficiently with the current setup (modulo some minor adjustments to the db parameters set by pwd_mkdb).

What I'm gathering from this thread though is that some folks would rather introduce a great deal more complexity for the majority of users just to make things a little bit easier for the (relatively) few cases where NetBSD machines will be required to work within some networked environment which already provides LDAP directory services. You really don't want to have to run any kind of directory server, even one running locally on the same host, unless you really _must_ participate in a network where use of such a service is mandatory. The unnecessary added complexity alone rules it out, never mind any untested concerns about overhead and efficiency.

Personally I think the _only_ change that's acceptable would be one which solely adds LDAP client support to nsswitch, and which does so in such a way that its code is completely surrounded by an #ifdef such as USE_LDAP (i.e. in the manner USE_YP should work). In fact I would really very much like to have the option of choosing to use LDAP via / etc/nsswitch.conf. In a perfect world it might even fit in using the same kind of "compat"(ability) record as YP uses (eg. something like a "+" in the user field to direct further queries to an LDAP server).

--
                                        Greg A. Woods; Planix, Inc.
                                        <woods%planix.ca@localhost>



Home | Main Index | Thread Index | Old Index