Yet another AIX related problem:

The AIX LDAP client is called secldapclntd (sure, they could make it more
awkward, but the budget ran out.)  I'm running into the issue detailed here:

http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344

"If an LDAP server fails to answer an LDAP query, secldapclntd caches
the non-answered
query negatively. This may happen if the LDAP server is down for example.
After the LDAP server is back again secldapclntd will use the negative
cache entry and the application initiating the original query will still
fail until the cache entry expires."

IBM is working on porting the fix to our specific TL and SP levels.

What I'm concerned with here, though, is *why* is it timing out?  I don't
know what the current timeout values are (AIX sucks, etc.)

I don't see timeout issues on my Linux boxes, which leads me to believe
that either the sssd timouts are longer or that sssd is just more robust
when dealing with timeouts.

I believe I'm seeing similar behavior with LDAP sudo on AIX as well,
because I occasionally have to re-run sudo commands because they initially
fail (and I know I'm using the right passwords.)  However, sudo doesn't
appear to have a cache (or it handles caching better.)

Does anyone have any troubleshooting suggestions?  Any general "speed
things up" suggestions on the IPA side?

Thanks,

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to