I see reference in login.conf(5) manual page for:

  /etc/login.conf.db  hashed database built with cap_mkdb(1)

I am using NetBSD 2.1 and have used /etc/login.conf various times with 
older versions of NetBSD.

When is the hashed database .db version used?

Can anything generate it automatically? Or do you always manually run 
cap_mkdb as needed?

What code checks to see if the .db version is available versus plain text 
login.conf?

I don't see the relevant documentation. I am looking at 
src/lib/libutil/login_cap.c, getcap(3) man page and other files.

OpenBSD's login.conf manual page says:

=-=-=-=-=-=-=-=-=-
 Sites with very large /etc/login.conf files may wish to create a database
 version of the file, /etc/login.conf.db, for improved performance.  Using
 a database version for small files does not result in a performance
 improvement.  To build /etc/login.conf.db from /etc/login.conf the fol-
 lowing command may be used:

       # cap_mkdb /etc/login.conf

 Note that cap_mkdb(1) must be run after each edit of /etc/login.conf to
 keep the database version in sync with the plain file.
=-=-=-=-=-=-=-=-=-

And FreeBSD's, DragonFly's and OpenBSD's getcap(3) manual page says:

 cgetent() will first look for files ending in ``.db'' (see cap_mkdb(1)) 
 before accessing the ASCII version of the capability database.

But the FreeBSD Handbook says different:

=-=-=--=-=-=-=-=-
 Note: The system does not read the configuration in /etc/login.conf 
 directly, but reads the database file /etc/login.conf.db. To generate 
 /etc/login.conf.db from /etc/login.conf, execute the following command:

 # cap_mkdb /etc/login.conf  
=-=-=--=-=-=-=-=-

How is it done in NetBSD? Where documented?

 Jeremy C. Reed

 	  	 	 Media Relations and Publishing Services
	  	 	 http://www.reedmedia.net/