LDAP replacing NIS - Storage

This is a discussion on LDAP replacing NIS - Storage ; I was wondering if anyone out there has experience with using LDAP in a large environment, particularly it's impact on NAS storage such as NetApp. I'm concerned that since LDAP responses are not cached by the NAS device that there ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: LDAP replacing NIS

  1. LDAP replacing NIS

    I was wondering if anyone out there has experience with using LDAP in
    a large environment, particularly it's impact on NAS storage such as
    NetApp.

    I'm concerned that since LDAP responses are not cached by the NAS
    device that there will be a noticeable impact to performance, though
    the grapevine and rumor mill says there won't be.

    NAS caches positive NIS responses for 36,000 seconds, so any request
    for auth by the same user/client will be serviced by speedy cache for
    a very long time. Negative responses are cached for 3600 seconds.

    So if you have NetApp in high performance environment, and you are
    using LDAP, I would love to hear your stories.

    Thanks.

    ~F

  2. Re: LDAP replacing NIS

    Hi Faeandar

    I have setup LDAP as a naming service though not in a large performance
    demanding environment, however, regarding the cache, if I remember
    correctly there is a cache built into the solaris LDAP name service
    client which is LDAP specific and I seem to recall that it was somewhat
    tunable. Possibly even tunable via the client profile which resides in
    the directory.

    BTW - Mind if I ask what kind of netapp filers you use and what you do
    with then? Files only or target/luns or both?

    Regards,
    Vic



    Faeandar wrote:
    > I was wondering if anyone out there has experience with using LDAP in
    > a large environment, particularly it's impact on NAS storage such as
    > NetApp.
    >
    > I'm concerned that since LDAP responses are not cached by the NAS
    > device that there will be a noticeable impact to performance, though
    > the grapevine and rumor mill says there won't be.
    >
    > NAS caches positive NIS responses for 36,000 seconds, so any request
    > for auth by the same user/client will be serviced by speedy cache for
    > a very long time. Negative responses are cached for 3600 seconds.
    >
    > So if you have NetApp in high performance environment, and you are
    > using LDAP, I would love to hear your stories.
    >
    > Thanks.
    >
    > ~F



  3. Re: LDAP replacing NIS

    On 22 Sep 2006 12:14:33 -0700, "victor.engle@gmail.com"
    wrote:

    >Hi Faeandar
    >
    >I have setup LDAP as a naming service though not in a large performance
    >demanding environment, however, regarding the cache, if I remember
    >correctly there is a cache built into the solaris LDAP name service
    >client which is LDAP specific and I seem to recall that it was somewhat
    >tunable. Possibly even tunable via the client profile which resides in
    >the directory.


    Clients like Solaris, Linux, and HPUX do indeed cache responses, but
    for some reason NetApp filers do not. This is the crux of my concern
    and we've not been able to run tests yet.

    I'm concerned about latency injection when each request for auth or a
    mount point is passed to the LDAP server instead of read from cache.

    >
    >BTW - Mind if I ask what kind of netapp filers you use and what you do
    >with then? Files only or target/luns or both?


    Exclusively files. There are departments that use iSCSI but not I'm
    not one of them.

    ~F

    >
    >Regards,
    >Vic
    >
    >
    >
    >Faeandar wrote:
    >> I was wondering if anyone out there has experience with using LDAP in
    >> a large environment, particularly it's impact on NAS storage such as
    >> NetApp.
    >>
    >> I'm concerned that since LDAP responses are not cached by the NAS
    >> device that there will be a noticeable impact to performance, though
    >> the grapevine and rumor mill says there won't be.
    >>
    >> NAS caches positive NIS responses for 36,000 seconds, so any request
    >> for auth by the same user/client will be serviced by speedy cache for
    >> a very long time. Negative responses are cached for 3600 seconds.
    >>
    >> So if you have NetApp in high performance environment, and you are
    >> using LDAP, I would love to hear your stories.
    >>
    >> Thanks.
    >>
    >> ~F



  4. Re: LDAP replacing NIS


    Ahh. I should have read your original post more carefully. The filer,
    as a name service client, doesn't cache the ldap auth data and since
    you use it as home space that is a performance concern.

    Good luck and please let us know if you find a solution or work-around.

    Regards,
    Vic



    Faeandar wrote:
    > On 22 Sep 2006 12:14:33 -0700, "victor.engle@gmail.com"
    > wrote:
    >
    > >Hi Faeandar
    > >
    > >I have setup LDAP as a naming service though not in a large performance
    > >demanding environment, however, regarding the cache, if I remember
    > >correctly there is a cache built into the solaris LDAP name service
    > >client which is LDAP specific and I seem to recall that it was somewhat
    > >tunable. Possibly even tunable via the client profile which resides in
    > >the directory.

    >
    > Clients like Solaris, Linux, and HPUX do indeed cache responses, but
    > for some reason NetApp filers do not. This is the crux of my concern
    > and we've not been able to run tests yet.
    >
    > I'm concerned about latency injection when each request for auth or a
    > mount point is passed to the LDAP server instead of read from cache.
    >
    > >
    > >BTW - Mind if I ask what kind of netapp filers you use and what you do
    > >with then? Files only or target/luns or both?

    >
    > Exclusively files. There are departments that use iSCSI but not I'm
    > not one of them.
    >
    > ~F
    >
    > >
    > >Regards,
    > >Vic
    > >
    > >
    > >
    > >Faeandar wrote:
    > >> I was wondering if anyone out there has experience with using LDAP in
    > >> a large environment, particularly it's impact on NAS storage such as
    > >> NetApp.
    > >>
    > >> I'm concerned that since LDAP responses are not cached by the NAS
    > >> device that there will be a noticeable impact to performance, though
    > >> the grapevine and rumor mill says there won't be.
    > >>
    > >> NAS caches positive NIS responses for 36,000 seconds, so any request
    > >> for auth by the same user/client will be serviced by speedy cache for
    > >> a very long time. Negative responses are cached for 3600 seconds.
    > >>
    > >> So if you have NetApp in high performance environment, and you are
    > >> using LDAP, I would love to hear your stories.
    > >>
    > >> Thanks.
    > >>
    > >> ~F



  5. Re: LDAP replacing NIS

    On Fri, 22 Sep 2006 15:05:56 GMT, Faeandar
    wrote:

    >I was wondering if anyone out there has experience with using LDAP in
    >a large environment, particularly it's impact on NAS storage such as
    >NetApp.
    >
    >I'm concerned that since LDAP responses are not cached by the NAS
    >device that there will be a noticeable impact to performance, though
    >the grapevine and rumor mill says there won't be.
    >
    >NAS caches positive NIS responses for 36,000 seconds, so any request
    >for auth by the same user/client will be serviced by speedy cache for
    >a very long time. Negative responses are cached for 3600 seconds.
    >
    >So if you have NetApp in high performance environment, and you are
    >using LDAP, I would love to hear your stories.
    >
    >Thanks.
    >
    >~F



    Well, it seems that there is little impact to a filer using LDAP for
    netgroup authorization. We chose netgroups because they are the worst
    case scenario for us; severely nested so expansion would add latency.

    Hitting a single filer with 200 nodes caused no perceptible load on
    the filer. It did cause some noticeable load on the single LDAP
    server but response latency was still below .02.

    The procedure was a simple 'touch' command farmed out to 200 nodes.
    Every node required a netgroup lookup and auth to verify access to the
    share. We kept it as simple as possible so that we were only
    measuring auth load and nothing else.

    All in all it seems LDAP does well in a high impact environment. Now
    adding SSL will be a different story but that's down the road a
    ways...

    ~F

+ Reply to Thread