Tuesday, November 6, 2012

do not try to use unix LDAP queries against AD without this...

Ok short post this. If you have 1,000's of users and you are using this sort of foo to map your users to AD in linux:

[jcuff@atlas6203 home00]$ cat /etc/ldap.conf | grep posix
nss_map_objectclass posixAccount user
nss_map_objectclass posixGroup group

And your schema does not look like this (that little tick box has to be there):


Even with NSCD, you are going to be stuffed.

That is all.

I learned this the hardway today... amazing what you find when you are not a windows admin...

It is true, it is on the internet. We saw a 2x speed up on every getent related system operation as an added win.

postscript: HPC systems do a lot of getent... ;-)


[any opinions here are all mine, and have absolutely nothing to do with my employer]
(c) 2011 James Cuff