10.5 AD plugin slow logins related to macAddress queryPosted: April 15, 2008 | |
The slow login times in the Leopard AD plugin seem to be related to a search by macAddress. If you killall -USR1 DirectoryService, and login on a Leopard machine bound to AD, you’ll notice a query on macAddress in the /Library/Logs/DirectoryService/DirectoryService.debug.log. I am not sure the purpose of this query, but our computer objects don’t even use the macAddress attribute, so the query always results in no records found.
I can manually execute the same query and the time almost perfectly matches the delay I see with logins; about 45 seconds.
time ldapsearch -v -w password -x -h domaincontroller.domain.forest.com -D firstname.lastname@example.org -b "DC=domain,DC=forest,DC=com" "(&(objectCategory=cn=computer,cn=schema,cn=configuration,dc=forest,dc=com)
Just substitute your own domain, forest, domain controller, username, password, and mac address etc to test.
I’ve tried manually mapping macAddress to another attribute, but it didn’t make a difference, so I don’t have any workaround to offer. Adding the macAddress attribute to your computer objects in AD might speed things up, but I have not tested this. I’ve notified Apple of the issue in radar 5752763, which is marked as a Duplicate of 5679705. If you see this macAddress query taking a long time, please report this to Apple so it can get fixed sooner rather than later. Actually, this same query is used during the join process, which may explain the long join times while it searches for an existing computer.