Re: LDAP Auth?

From: Ken Gourlay (
Date: 07/29/02

Date: Mon, 29 Jul 2002 14:07:52 -0400
To: Drew Smith <>
From: Ken Gourlay <>

I spent a good deal of time trying to get LDAP authentication working.
Actually the authentication was fairly easy, but I wanted my LDAP server
to use a MySQL backend: that was a little more complicated. In any
case, after setting it all up, I tore it all down again because the
performance was terrible. I had 3 redhat servers and a database of
about 4000 users, and PAM would do very screwy things like request a
list of all the groups whenever a user logged in -- and the way LDAP
responds, it'd take the server at least several minutes to serve up the
resulting list. PAM could have been much more optimized to make this
work better, but in my situation I ended up better off with a "custom
solution". I wrote a crontab that would regenerate the local passwd and
shadow files on each server every couple minutes from the MySQL database
(yes, every couple minutes is fairly often, but it was still much less
CPU time than what LDAP would be doing). It was also much less coding
in the long run, because making everything work with LDAP would have
been a lot harder than just making everything work with itself, if you
know what I mean.

LDAP is nice, but depending on how many users you have, it may not be
efficient enough to do what you need done. I'm happy to talk to you
about more specific things, but I guess my immediate recommendation is
to strongly consider why you want to use LDAP as a standard before
jumping into it.

-- Ken Gourlay
-- Chain Communicaitons, Inc.

On Tuesday, July 23, 2002, at 06:56 PM, Drew Smith wrote:

> Hey folks,
> I'm considering implementing LDAP authentication across our network of
> about 15 Red Hat machines. Problem is, I've never really used LDAP or
> been in an environment that uses it.