useradd too slow with LDAP nsswitch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shadow (Ubuntu) |
Fix Released
|
Wishlist
|
Kees Cook | ||
Bug Description
Binary package hint: passwd
In a machine with nsswitch configured to used a LDAP server with around 50000 users, trying to add a new local user (with useradd) takes a really long time.
My /etc/nsswitch.conf contains this:
passwd: files ldap
group: files
shadow: files
hosts: files dns mdns
#hosts: dns [!UNAVAIL=return] files mdns #UA2006 ?
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
An strace shows that useradd is fetching a full list of users from the server: on my system his takes a long time. Commenting out the "ldap" in nsswitch immediately solves the problem.
Maybe this is a feature but I can't see why adding a new user should need to verifiy every existing user.
Using the command newusers, there is no problem even with LDAP activated.
João Rodrigues
Related branches
Changed in shadow: | |
importance: | Undecided → Wishlist |
Forgot to say:
I'm using Ubuntu 6.06 but I recall similar behavior with a Mandrake 10.1 distro a few years ago. This is probably a upstream problem.
Some more info:
In my current setup, ldap is only used for the passwd DB --- Kerberos is used for authentication, so there is no need for shadow DB from nsswitch. I've installed libnss-ldap, but not libpam-ldap.
I tried creating users both with and without options specifying UID and GID:
useradd johndoe
useradd -u 1234 johndoe
useradd -u 1234 -g 100 johndoe
All had the same problem. (I hoped that by specifying a UID only a single lookup would be made, but strace reveals the same behavior: fetching the full DB.)
Sorry for the typos in the previous comment.
João Rodrigues