[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM, shadow using DBM files?



W. Reilly Cooley, Esq. writes:
> On Tue, Jul 25, 2000 at 09:00:02AM -0500, Scott Isaacson wrote:
> > I administer a RedHat 6.2 system with about 6000 users.  Authentications are
> > noticeably slow, with users toward the bottom of the passwd file often
> > taking 15-20 seconds to authenticate via ipop3d.  I suspect the
> > authentication mechanism itself because users toward the top of the passwd
> > file will authenticate within 1 second.
> > 
> > A theory I have is that hashing the passwd and shadow files, as on some
> > commercial *nixes, would speed things up and solve the problem.  It looks
> > like the capability to use DBM files is at least partially written into the
> > shadow password package, but not enabled on the version distributed with
> > RedHat 6.2.
> > 
> > What do you think is the best way to solve the slow authentication problem?
> > Is anyone using shadow passwords with the DBM files?  After quite a bit of
> > searching and reading through archives, I've found a few mentions of the
> > problem, but not a clear solution.  Can you point me toward any additional
> > documentation on getting this to work with PAM on RH 6.2?
> 
> Look at /var/db/Makefile.  Notice also the 'db' option in
> /etc/nsswitch.conf.  I grep for 'passwd' in the output of 'strings
> /lib/libnss_db-2.1.2.so' and it returns /var/db/passwd.db.  I haven't
> actually done this, but it should be doable.

It does work. I use this method (although I create the entries via
some perl utilities and user admin daemons) on machines with thousands
of users and it works fine. If you're not creating/modifying accounts
too often then arranging for a "make" after each change may well be
acceptable without needing anything fancy to update /var/db/foo.db
more directly.

>                                              I don't know about the
> actual PAM part, though--possibly pam_userdb.so?

You just need to use the pam_unix modules instead of pam_pwdb
(the latter bypasses getpw*()).

--Malcolm

-- 
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []