Hi, Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M: > Hi, > > I did use the ldapsearch and here is what I found out > > ldapsearch "ldapserver" returned 1586 users > /etc/passwd has 38 users > > nsswitch.conf > passwd: files ldap > > So sometimes I assume getent returns files (38) + ldap (1586) = 1624 > > But mostly getent only returns 1038 > > Sizelimit on the ldap server is set to 5000 > > Can it be that sometimes only 1000 users gets returned from the getent > ldap search? And if so, why? This is just a wild guess, but IIRC, 1000 is the default page size when nss_ldap is configured to use the LDAP paging control. Problably the nss_ldap Version or your server has problems processing this control, IIRC there have been some problems with paged results in nss_ldap in the past. Please test what happens if you use "nss_paged_results no" in your nss_ldap config (hopefully you nss_ldap is recent enough to have that option).
> /Jocke > > On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal <[email protected]> wrote: > > Jocke M wrote: > > > Hello, > > > > > > We are running an OpenLDAP server on RHEL4 and I just found out > > > that running getent on the RHEL clients sometimes missed users > > > against the OpenLDAP server. > > > > > > Example: > > > getent passwd | wc -l > > > 1038 > > > > > > getent passwd | wc -l > > > 1624 > > > > > > Does anyone know what can be faulty, either on the clients or the > > > server? > > > > > > -- > > > Thx > > > Jocke > > > > Did those results occur on the same client, or are those results > > from two different clients? > > > > If two different clients are returning different results, I'd > > compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. > > It could be that one has a different filter criteria than the > > other. Or, if you've recently upgraded your LDAP servers, one > > client could still be point to an old LDAP server that doesn't have > > new entries. > > > > Try using the ldapsearch command with the same search criteria and > > see if you get the same results. I would use the -h or -H switch to > > make sure you are using the server you think you are using (change > > specifics accordingly) > > > > ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com > > "objectClass=posixAccount" dn > > > > -- > > Prentice Ralf
