LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

2.5.5.2 Netgroups in LDAP

With LDAP, the ability to use netgroups to control which groups of users are visible on a host,

or which fields are masked, is still available. System administrators can enable NIS compat mode

by defining the following sequence in the /etc/nsswitch.conf file:

...

passwd: compat

passwd_compat: files ldap

...

The first line indicates that the passwd name service should operate in the traditional

“compatibility mode,” allowing netgroups to be specified in the /etc/passwd file. The second

line indicates that the files and LDAP repositories should be used as the name service repository

for finding the user accounts referenced by those netgroups.

However, use of compat mode with an LDAP repository can greatly impact performance of the

name service system. When compat mode is used to mask passwd entries, numerous requests

to the directory server must be generated to examine the netgroups to find their members and

then search for each individual member. While ldapclientd can cache netgroup and passwd

entries, the name service subsystem does the actual processing to generate the proper masked

results. In this case, while caching does improve performance, it places an extreme load on the

CPU from the ldapclientd caching daemon, as it resolves the numerous requests from the

name service subsystem.

Most deployments use compat mode just to control which users are allowed to log in to the host.

In this case, the libpam_authz library can be used to control which users can log in to the

host, based on the netgroups listed in the /etc/passwd file. (For more information about using

PAM_AUTHZ login authorization and libpam_authz , see Section 5.3 (page 140).) Compat

mode can therefore be disabled. However, for deployments that rely on the field-masking feature

of compat mode, no alternative was available. In these situations, if a large organization used

numerous netgroups with many users, CPU usage of ldapclientd could reach maximum

limits.

As a means to greatly mitigate the performance impacts of compat-mode field masking, LDAP-UX

has integrated compat mode support directly into ldapclientd, allowing caching of

compat-mode user entries.

2.5.5.3 Configuring integrated “compat” mode

To enable integrated compat mode, you must perform four configuration steps:

1. Disable compat mode in the name service switch. In the /etc/nsswitch.conf file, replace

the following:

...

passwd: compat

passwd_compat: files ldap

...

with:

...

passwd: files ldap

...

2. Configure internal-compat-mode processing inside ldapclientd:

a. /etc/opt/ldapux/ldapclientd.conf

Search for "flush_compat_info_time". This indicates how often ldapclientd

will refresh its cached copy of the netgroup structures defined in the /etc/passwd

file. If you make changes to the netgroup list in the /etc/passwd file, these changes

will not appear until this time period has passed or you have restarted or flushed the

caches of ldapclientd (-F). Adjust this value as needed, or leave as the default (1

day).

2.5 Post-installation configuration tasks 105