Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

eDirectory and nscd advice.....

20 views
Skip to first unread message

Peter Norris

unread,
Dec 7, 2009, 11:54:21 PM12/7/09
to
Hi,

Just looking for some advice.. (sorry the mail is so long..)

We have currently a 2node Linux OES cluster (whilst we still have
Netware then it will move to a 4)

So our environment = OES2 SP2 latests fixes (eDir 8.8.5 etc)

So we are seeing an issue where our student LINUX desktops mount the NSS
Volumes via NFS

This requires LUM.

We have about 10,000 Students,

So for LUM I use Dynamic groups for the Students, I have 10 Dynamic
groups which means there is about 1000 students per group.

The problem I was seeing, was the eDirectory (or ndsd) was taking
massive amounts of CPU and grinding the machine to a halt.. ndstrace
was show non stop connections doing searches for the members of the
dynamic groups

I tried reserving large amounts of memory (fixed) for eDirectory but
that didn't work..

So now I am playing with the nscd settings which is going well so far..
for NFS

in nam.cong I have set
cache-only=yes
persistent-cache-refresh-period=86400
enable-persistent-cache=yes
num-threads=20


from nscd.conf I have turn on
enable-cache for group/passwd/hosts
persistent=yes


However in nscd, I haven't changed the size of max-db-size I haven't
found out how to find out if this is maxed out.

What I have noticed that searching for students in iManager when
pointing to the server I have set cache-only, the search just sits there..

by making it cache-only, will this cause other problems with eDirectory
or OES?

Students are only added once a day from the HR database, so that isn't a
problem. There are others added, but they don't use LUM/NFS

Thanks for any thoughts

Peter

a...@novell.com

unread,
Dec 8, 2009, 11:05:39 AM12/8/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A few things come to mind, and some data may be outdated so correct me if
I'm wrong.

First, a few years ago the recommendation was to use either namcd or nscd,
and when you have LUM you used namcd (required). The two were meant to be
mutually exclusive. Has that changed?

Second, iManager does not know/care about LUM (as far as namcd and farther
down) is concerned. Its queries go to eDirectory directly (like namcd
itself does) and setting namcd one way or another should not affect
iManager directly, although indirectly it may cause eDirectory to be too
busy to do other things like answer iManager searches.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLHnlTAAoJEF+XTK08PnB525cP+wUVtfgqpLyUVyTBfhe7AgkL
9D+lswwHbVJFPbUw265BnGdONbzKFVfRc5bwOEYnIO5aVHP6+JatrlQX1DT7rREZ
gLwjaEnKUc/bKfivYgh5utUc0gOlmKpnepGbyvCHf75QA0Fy5luIG3Ixq4dVLIUP
Emn3PfNIZTYYrbWyMSLNEPgMyxaHg+S7wisq8zqP28/8FoxiZXYtVlsGtwamnci/
A7Dc7TaC8XfREJXAyajqr9RDPD2RXEWNAQBSBD8gpSax60n/aASr6eqpL30wO+Vh
RkUKhqFaYY0ottSLMMjeN3lGSbQRaFjtG1OGlTDJFHdiMrSfE/0LBhWI5insApjW
molU8NAN1l6jmZd03l04XA2UHLyOWIo7cTrfpZ4LiNVNgY+WpA8EWVaIPQ4AZF6s
hf4XsH14hQOjmzv35HeqkuakhChq622sRJMS9Z5b1Ua//LA//gKxDQr9/ID/nl+i
nOf+afi4kfZyH+EsLHqzo7IGsgNYIPZ1CbB5vUA3oiBy1p9d+oGB2IhSe1cnAHyS
TblEWSzTsXNtEv+GZ+r16Zn7kS/huh9kyXrENpdpfhX812SAgklvuKzfXuCtR7AS
44HcOUmGf4VbMhM4zSglv6i15RrXLBjgSs4rNr9OoCgon4WZKE/LcmZzMIEKszym
fxSkWEx4G/UqvwCjR/CV
=4JLx
-----END PGP SIGNATURE-----

Peter Norris

unread,
Dec 8, 2009, 5:31:50 PM12/8/09
to
Hi AB,

Thanks for the reply,

I didn't know that it was either namcd or nscd as both were running, I
kind of got it in my head both were required.

by default both seem to be running on my OES server. can I just disable
nscd as namcd is required.

That is good to know about iManager, I wonder why it suddenly went so
slow, I will do further testing. because eDirectory wasn't busy.

Maybe I should go back to the default settings and use standard groups
rather than Dynamic. I just like the idea of dynamic, it was easy... :-)

Thanks again

Peter

Peter Norris

unread,
Dec 8, 2009, 5:33:38 PM12/8/09
to
Hi Eric,

Thanks for the reply, and good pointer, yes I have IDM used for lots of
things so won't be a problem to add. I just liked the idea of using
Dynamic groups... Also we use Templates to create users home
directories, so I could even do the add group membership there.

Thanks again

Peter


EricVeysey wrote:
> The only thing that I can see is that you are using dynamic groups with
> 1000 users that are constantly being queried (logins).
>
> I've noticed slowness and performance issues when using dynamic groups
> that require frequent queries. Do you have IdM? You could replace it
> with a static group and add group membership with a driver instead.
>
>

Peter Kuo

unread,
Dec 8, 2009, 6:36:18 PM12/8/09
to
Is the attribute for whatever your DG's search filter pointed to indexed?

--


Peter
eDirectory Rules!
http://www.DreamLAN.com

Peter Norris

unread,
Dec 8, 2009, 10:00:37 PM12/8/09
to
Hi Peter,

re:- index
No I don't think so, (I only have the out of the box index's set) but I
am unsure what I would index on for this scenario.

basically the stuckture =

ou=0 (Has all students who's id finishes with a 0)
ou=1 (Has all students who's id finishes with a 1)

etc

then my dynamic group says any objectClass=* in OU=0 is member I have a
DG for each OU 0 - 9..

To be honest, once a student is in a OU it never changes (unless that
user is deleted) Maybe I shouldn't be using dynamic groups for this and
I have three methods of adding a user to a standard group

1) the ldap creation script
2) IDM
3) GroupMembership of a template..

However if you think it should work well with DG I am happy to keep
them, but what would I need to index on?

Thanks

Peter

Peter Kuo

unread,
Dec 8, 2009, 10:46:42 PM12/8/09
to
Peter Norris wrote:

> However if you think it should work well with DG I am happy to keep
> them, but what would I need to index on?

Can you show us what your DG's search filter looks like? In your
student's OUs, are there any other object types other than User? "May"
help some if you narrow the search filter to objectclass=inetorgperson
instead of objectclass=*.

Objectclass is not indexed - at least not on my test server (which has
gone through a large number of eDir updates so I don't trust it to show me
defaults <g>). Check yours - its under the Index property tab for the NCP
Server object. Having it indexed could help.

0 new messages