Cyrus, Solaris 10, ZFS? (and NIS?)
igor at ipass.net
Thu Oct 5 22:40:27 EDT 2006
> -----Original Message-----
> From: info-cyrus-bounces at lists.andrew.cmu.edu [mailto:info-cyrus-
> bounces at lists.andrew.cmu.edu] On Behalf Of Michael Loftis
> Sent: Thursday, October 05, 2006 5:37 PM
> To: Chaskiel M Grundman; betsys at gsd.harvard.edu
> Cc: info-cyrus at lists.andrew.cmu.edu
> Subject: Re: Cyrus, Solaris 10, ZFS? (and NIS?)
> --On October 5, 2006 4:46:54 PM -0400 Chaskiel M Grundman
> <cg2v at andrew.cmu.edu> wrote:
> > mynewstate is taking 8s to run, and very little of the time is taken up
> > in local subroutines.
> > auth_unix.c:mynewstate calls getpwnam, and then iterates over all the
> > groups using getgrent(),
> > checking to see what groups the user is in. The fact that imapd does
> > twice might be a bug, but even if it didn't do it twice, it would still
> > be slow.
> > Is running "getent group" slow?
> We had to patch this out of our Cyrus frontends using LDAP as well because
> it iterates instead of retrieves. We just decided not to support groups
> the ACL's.
> I'd suspect this is exactly whats going on is this code is still there in
> latest Cyrus and it's building the ACL representation. If you don't care
> about groups you can find, and remove, that code as we did.
Cyrus already deals with this deficiency; unix_group_enable: 0 (not really
cyrus fault). There is at least one other and more effective way to
implement group ACLs especially if you use LDAP via pts. See man imapd.conf
(unfortunately not much more documentation than that)
More information about the Info-cyrus