Wow, I didn't even know this list was still around.
> I am using pam ldap module to interface to a directory service
> containing identity information. My directory contains an very big
> number of groups, in the order of some thousands. Sniffing the network
> i see that a lot of gloabal searches ( reqeusts for all the groups in
> the directory ) are sent toward the directory. This causes a lot of
Yes, this is the braindead manner in which NSS enumerates groups; it is
really horrible but it is also the long standing behavior of libc/glibc.
So in UNIX-land we are stuck with it.
> network traffic and poses some awkard scalability problems. Is there
> any way to avoid this kind of queries, or is there any way to solve
> this scalability problem???
To ameliorate this issue you can (a) use access control to limit what
groups a host sees, removing groups not relevant to a host, (b) use a
local partial replicant [easy with sync-repl] to maintain a copy of the
groups branch of the Dit, (c) use an alternative to nss_ldapd such as
nss-ldapd [
http://ch.tudelft.nl/~arthur/nss-ldapd/] possibly in
conjunction with nss_updatedb
[
http://www.padl.com/OSS/nss_updatedb.html]
