On Thu, 2009-08-13 at 17:45 -0400, Dmitri Pal wrote:
I am just saying that it might make sense to have the identity back
end
split into two back ends.
One is responsible of the individual operations and another for
enumerations.
No, it would just be a lot of duplication for no gain.
It's simple to change code behavior with options.
I do not see code duplication. Common code should be bundled in
libraries and reused.
You have to split interfaces, have new initialization routines, make it
more complicated to share connections. Really not worth it.
[..]
We will go for the entry if we do not see an entry or it is expiring
in
cache.
I guess I might not understand the details of cache implementation.
I was under the impression that the cache expiration time stamp is a
part of the entry in LDB,
and each time we get a record (new or not) we at least need to update
the time stamp.
Am I right? If so we might save on not updating other attributes of the
entry if it has not changed but it would not eliminate the write
operation completely.
There would be a gain be really a minor one so I am not sure it is worth it.
Yeah, you are probably right, let's just remove this point.
Yes but it (BE) changes the time stamp that indicates when the entry
was
last retrieved so that the front end can be it is decision to request a
refresh.
Yes this is how it works now.
>> Can you please explain how this would affect the cache
logic?
>>
>
> It depends on what cache you are referring to, if you are referring to
> refreshes performed by the frontend this may make them unnecessary for
> the ldap driver.
>
Are there more than one caches?
We have an in memory negative cache in the nss frontend, and I am still
considering to adopt a shared memory approach to talk with the clients
to speed up lookups like nscd does, so that would add a new cache.
> In my experience generally if ldap or nis are not available the
machine
> still comes up fine. Posix even says explicitly that enumeration request
> can returning nothing IIRC.
> Also experience with samba's winbindd with enumeration turned off tells
> me this is not going to be a problem.
>
>
We seem to make some assumptions based on one data point.
May be you are right and things are not that bad for us but such
assumption makes me uneasy.
Not assumptions, the data model is quite clear and there are multiple
examples of machines coming up without remote backends data w/o any
problem. In fact the re are options in nss_ldap to ignore request for
certain users explicitly to avoid triggering timeouts at startup when
the remote ldap server is still not available.
I really see no problem here, let's move on.
Simo.