[COLUG] Linux nss_ldap on eDirectory

Brian Miller bnmille at gmail.com
Wed Nov 15 20:43:56 EST 2006 

On Wednesday 15 November 2006 9:34 am, talin at ilive4code.net wrote:
> I am working on a project to move accounts, groups, netgroups, etc..
> (RFC2307 items) into Novell's eDirectory.
>
> Things are a little different from OpenLDAP which I'm use to, such as
> permissions and ldif file formats, but I've been able to figure things
> out.  My work is posted here for anyone else having to go down this road:
> http://www.ilive4unix.net/doku.php/notes/sec/edirectory
>
> There are two questions I have yet to get answered:
>
> 1.) User accounts will be integrated into eDirectory's existing user
> accounts, but what about groups?  Do they integrate somewhere, or do I
> place the unix groups wherever I like.
>
You can use regular groups, but I recommend placing all of your posix-enabled 
groups under one container.  In a typical eDirectory environment, you often 
have multiple groups with the same common name in different containers.  You 
don't want to create two posix groups with the same name, having different 
gid's (or even two groups with the same common name, the same gid, but having 
different user memberships).  Results will be unpredictable.  Of course, if 
your eDirectory will be dedicated to posix accounts, this likely won't be a 
problem.

In our environment, we have users under a rather large hierarchical structure 
under one O (organization), and all of our posix groups are under another O.  
This is controlled by the /etc/ldap.conf file, where we comment out the 
"base=" line, but fill in the "base_passwd", "base_shadow", and "base_group" 
lines.

> 2.) What about performance?  How many Unix clients can an eDirectory
> support?  What is an acceptable response time limit for pulling say
> passwd?
>
We have never changed the default response time configuration.  The number of 
clients supported depends on the hardware you are running eDirectory on.  We 
recently swapped out a NetWare box (single processor, 2 GB of RAM, probably a 
Pentium 4, that also provided services other than LDAP authentication)  for a 
Linux box (dual processor, 8 GB of RAM, 64-bit AMD processors, dedicated to 
LDAP authentication). The response time dropped dramatically.  I personally 
think the other services the NetWare box was offering was the cause for the 
slow-down, but don't have any way to prove it.  Novell does state that 
running eDirectory on 64-bit Linux with AMD chips provides the fastest 
performance of all the platforms that they support (NetWare on Intel, 
Solaris, HP-UX, AIX, and Linux on Intel), due to the differences in hardware 
architecture.

>  Local:
>   time getent passwd
>   ...
>   real    0m0.078s
>   user    0m0.004s
>   sys     0m0.004s
>
> How does response time scale as servers are added and as the passwd list
> grows?
>
The response time depends on a number of factors, such as whether you use 
round-robin DNS, a dedicated load balancer, how much of the database is 
cached in RAM, etc.  Since the  LDAP authentication is essentially a read 
request, it goes pretty fast.  eDirectory uses a specialized FLAIM database.  
Novell has demonstrated lookups in a directory with over 1 million user 
objects (in a fairly flat tree), recording sub-second response times.  I 
believe this was using a single NetWare server (but I'm not 100% sure on 
that).  This was a couple of years ago, when they were first coming out with 
NetWare 6.

> Travis Sidelinger
> Systems Admin
> Columbus Metropolitan Library
>

More information about the colug432 mailing list