by I'm cross-posting to comp.security.unix in case something already exists, and
comp.lang.perl, just on the off chance that they can whip it up over the weekend :)
*
* >Current configuration has 9,000 users in the password file and allows up
* >to 200 connections. We are not running NIS or NIS+. What can I do to
* >improve performance of password file lookups? 95% of the time the system
The reason I've not wanted to simply rdist, local files is because of this.
Even with NIS under SunOS 4 I've had to do workrounds, using Net Groups, to
restrict access to some machines, and some grotesque hacks.
For Solaris I've been expecting to have to implement, a special login program,
once the NIS compat is dropped (or I drop NIS).
* The easiest way to "solve" the problem is to use NIS, but that brings along
* a whole set of new problems. The right way to solve the problem is to write a
* dbm-style backend for the password file. The name services switch interface is
* documented in /usr/include/nss_*, if you want to give it a try.
Now that's an idea!
I've been pondering this as local files, NS kit and NIS+ have too many gotcha's.
Would there be any takers for PNR - Portable Name Resolution?
The aim would be quick and dirty hack (to begin with), I see 2 parts to this :
1) Master format - some management tools,
- distribution scheme -> local format flat file, Berkeley DB,
dbm file, NIS maps, whatever
- mapping scheme for Bastion hosts, DBs and such like
2) OS specific implentation
- Solaris 2.4 using name service switch.
- ULTRIX supports DBM passwd file or local ypservs.
- SunOS 4, DBM in /var/yp/`domainname` plus ypserv & securenets?
The OS part, could become unecessary, when Vendors introduce better caching.
Perl5 and the Berkeley DB lib, allow simple creation of lookup caches,
analagous to NIS's <map>.by<key> DBM files, only :
1) faster, through a memory cache, but a limited one to avoid swap
2) byte independant, makes it very rdist-able
3) hash / btrees supported
Some mechanism to distribute a master DB, to allow OS specific format files,
like passwd(5), whoops (ggrrrrr) I meant passwd(4) and shadow(4)).
A daemon to handle password changes would be required, rlogin to a master host
is not acceptable (inconvenient and clear text passwords over net).
Perhaps something better than NIS that's not OS specific already exists?
Did the BSD User DB get any further than it's usage in V8 sendmail?
-- Rob