Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
21
Large Databases
One reason to choose an LDAP directory as the "back-end" naming and authentication service for an
HP-UX system is its scalability. LDAP directories were designed to look up information in large databases
quickly. The traditional flat /etc/passwd file was not. However an LDAP directory does not solve
scalability problems without some investment. To maximize performance with a large database, consider the
following:
Enumeration
Enumeration is the "root of all evil" when you have a large database. Enumeration means that an
application examines all the entries in a database, one entry at a time.
FYI: An application that calls setpwent/getpwent() or setgrent/getgrent() is an application that
enumerates. When an application calls one of these APIs, the NIS/LDAP Gateway and
LDAP-UX Client Services products must request all the posixAccount or posixGroup entries
from the LDAP directory in order to satisfy the request. If your LDAP directory contains
70,000 posixAccount entries and you have an application that calls setpwent/getpwent() every
10 minutes, then the application will be downloading all 70,000 entries through your network
every 10 minutes!
Eliminating applications that do enumeration will greatly improve performance of your systems and reduce
network bandwidth requirements. An LDAP directory cannot increase performance of applications that
enumerate. However, an LDAP directory can give applications new options, eliminating the need for
enumeration. Here is an example: Suppose an application wants to display all the users that have blank
passwords. For this program to work, it must examine every passwd entry checking to see if the user's
password is a null string. It repeatedly calls getpwent() until it reaches the end of the password file. If this
passwd database contains one million users, this requires excessive CPU and network resources. But an
LDAP search request could perform this task in one operation, and quickly (in this example, the
userPassword attribute should be "indexed" as described in the previous section.) Here is a simplified
command to perform the above request:
ldapsearch -b baseDN (&(objectclass=posixaccount)(userpassword="")) dn
Common Enumerators
The best way to improve performance of applications that do enumeration is to rewrite or eliminate them if
possible. Below is a list of common offenders:
finger, enumerates the entire password list to find the requested user.
initgroups(), a procedure called by login and groups, enumerates all groups, to determine
which groups the user belongs to. On an HP-UX 10.20 NIS client, the initgroups() procedure
does not attempt to determine what groups the user is a member of. However, on 11.00 NIS
client, this command executes a "ypall" request, which enumerates all groups. On an 11.00
native LDAP client, this command uses a proper LDAP search, thus avoiding enumeration.