Previous Topic: Class AuthorizationNext Topic: Using UNIX Exits


Resolving Names

Several tokens in the [seosd] section of the seos.ini file (including GroupidResolution, HostResolution, ServiceResolution, and UseridResolution) control how CA ControlMinder performs name resolution. Setting these tokens appropriately improves performance.

Alternatively, you can create a lookaside database (instead of using system name resolution). To improve performance, select the lookaside database option. Tokens for this feature include the lookaside_path and use_lookaside.

Note: For more information about these tokens, see the seos.ini initialization file in the Reference Guide.

Whenever CA ControlMinder must perform UID to username, GID to groupname, ipaddr to host name, and port to service translations, it may have an impact CA ControlMinder performance. How CA ControlMinder performs these translations depends on the value of certain tokens in the seos.ini file-in particular, the under_NIS_server, use_lookaside, GroupidResolution, HostResolution, ServiceResolution, UseridResolution, and resolve_timeout tokens.

When native operating system mechanisms perform the resolution, the impact on system performance is relatively small. When translating ipaddr to host name, an external mechanism such as DNS must perform the translation. This may result in significant degradation of system performance. This degradation occurs because, while seosd is waiting to receive the host name, all other processes that CA ControlMinder has intercepted must also wait until seosd completes its processing.

Type of Station

Source

Stand-alone

Seosd uses the following files for translations;

  • /etc/passwd for UID to user name
  • /etc/group for GID to group name
  • /etc/hosts for IP address to host name
  • /etc/services for service ports to service names

NIS client

The source of the information varies, depending on the operating system and its version number. The information is usually taken from /etc files and the NIS server. However, in some systems, the /etc files are not the source and the order in which translation is made is changed during system configuration. For instance, in the Solaris 2.x system the file /etc/nsswitch.conf determines the translation order.

DNS client

Translation for users, groups, and services is performed using /etc files. Host names are translated by calls to the DNS server and, on some systems, the /etc/hosts file is also read.

NIS and DNS clients

The ipaddr to host name translation is performed by DNS. For user, group, and service translations, the translations are performed in the same way as NIS client translations.

Type of Station

Source

NIS server

The server machine usually behaves as both server and client, and consults the NIS server daemon for any type of translation. The files which contain the sources of the NIS resolution maps are usually located in /var/yp, but the location may vary, depending on the site configuration, and the type and version of the operating system.

DNS server

The source of the information used for translation depends on the configuration of the site. DNS does not have an option to scan its resolution database; therefore, CA ControlMinder cannot use caching, and must use a lookaside database. You must configure the lookaside database so that the utility sebuildla uses a host list file. For more information, see sebuildla in this chapter.

all others

Same as DNS server.

In versions 2 and higher of CA ControlMinder, seosd can also use the tokens GroupidResolution, HostResolution, ServiceResolution, UseridResolution, and resolve_timeout to control the translation process. For more information about these tokens, see the Reference Guide.