Package: libnss-ldap Version: 261-2 Severity: important
'id' will hang forever when if not setting sizelimit 2048 in the ldap server config. This happens even if ldapserver2 has a bigger 'sizelimit' parameter which would not block 'id'. For the reason behind this behaviour I found that libnss-ldap asked the ldap server for the whole bunch of passwd and group entries instead of doing a smart ldap search. As our ldap userbase has more than 512 entries, I had to increas the sizelimit Parameter on the server as a workaround. Via tcpdump I found that the client sent a LDAPMessage searchRequest(2) "ou=user,dc=in-berlin,dc=de" wholeSubtree instead of doing a search. I expected it doing a search like ldapsearch ... 'uid=..' and ldapsearch ... '(&(objectClass=posixGroup)(memberUid=...))' gidNumber,gidName for group memberships. Please correct me if I'm wrong, but I cannot expect that getting the whole table would be a reasonable approach for a larger user database. I verified that the used ldap server is working. from /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap regards Olaf The contents of -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/1 CPU core) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldap depends on: ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii libc6 2.7-10 GNU C Library: Shared libraries ii libcomerr2 1.40.8-2 common error description library ii libkrb53 1.6.dfsg.3-2 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.7-6.3+b1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-20 Cyrus SASL - authentication abstra Versions of packages libnss-ldap recommends: ii libpam-ldap 184-4 Pluggable Authentication Module al ii nscd 2.7-12 GNU C Library: Name Service Cache libnss-ldap suggests no packages. -- debconf information: * libnss-ldap/dblogin: false * libnss-ldap/override: true * shared/ldapns/base-dn: ou=user,dc=in-berlin,dc=de * libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net * shared/ldapns/ldap_version: 3 libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net * shared/ldapns/ldap-server: ldap://ldapserver1/ ldap://ldapserver2/ * libnss-ldap/nsswitch: * libnss-ldap/confperm: false * libnss-ldap/dbrootlogin: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
