Re: Review D38047 ... and then there was one....

From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Sun, 06 Oct 2024 19:56:27 UTC
W dniu 6.10.2024 o 20:35, David E. Cross pisze:
> Please, love to get some eyes on this.  As it stands nscd is 
> completely useless for LDAP for getgroupmembership (and really ANY 
> implementation that defines a specific implementation of 
> getgroupmembership, since it will then bypass the non-existent NSCD 
> version).  Additionally it fixes bugs with negative caching as well as 
> increases thread safety.

Thank you for this patch. I am not competent to review this code, but 
can test it. Really, our nscd with LDAP is a nightmare. I have set 
filters to narrow lookups, but with full directory, when  nscd is runnig 
I have have such timings:

[host] ~# /usr/bin/time getent passwd > /dev/null
         0.62 real         0.06 user         0.15 sys
[host] ~# /usr/bin/time getent passwd > /dev/null
         0.47 real         0.07 user         0.12 sys
[host] ~# /usr/bin/time getent passwd > /dev/null
         0.46 real         0.04 user         0.15 sys

After stopping nscd service:

[host] ~# /usr/bin/time getent passwd > /dev/null
         0.15 real         0.03 user         0.06 sys
[host] ~# /usr/bin/time getent passwd > /dev/null
         0.16 real         0.01 user         0.08 sys

Unfortunately, with this patch applied there is no much improvement:

[host] ~# /usr/bin/time getent passwd > /dev/null
         0.65 real         0.03 user         0.19 sys
[host] ~# /usr/bin/time getent passwd > /dev/null
         0.48 real         0.02 user         0.22 sys
[host] ~# /usr/bin/time getent passwd > /dev/null
         0.43 real         0.06 user         0.12 sys

The test were run on most recent stable/14 with net/nss-pam-ldapd as a 
Name Service Switch module for LDAP lookup.

-- 
Marek Zarychta