Hi, It was not a wild guess. As soon as I added the value "nss_paged_results no" it worked. Now getent always returns 1624 users.
Thank you /Jocke On Wed, Oct 20, 2010 at 11:11, Ralf Haferkamp <[email protected]> wrote: > Hi, > > Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M: > > Hi, > > > > I did use the ldapsearch and here is what I found out > > > > ldapsearch "ldapserver" returned 1586 users > > /etc/passwd has 38 users > > > > nsswitch.conf > > passwd: files ldap > > > > So sometimes I assume getent returns files (38) + ldap (1586) = 1624 > > > > But mostly getent only returns 1038 > > > > Sizelimit on the ldap server is set to 5000 > > > > Can it be that sometimes only 1000 users gets returned from the getent > > ldap search? And if so, why? > This is just a wild guess, but IIRC, 1000 is the default page size when > nss_ldap is configured to use the LDAP paging control. Problably the > nss_ldap Version or your server has problems processing this control, > IIRC there have been some problems with paged results in nss_ldap in the > past. Please test what happens if you use "nss_paged_results no" in your > nss_ldap config (hopefully you nss_ldap is recent enough to have that > option). > > > /Jocke > > > > On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal <[email protected]> > wrote: > > > Jocke M wrote: > > > > Hello, > > > > > > > > We are running an OpenLDAP server on RHEL4 and I just found out > > > > that running getent on the RHEL clients sometimes missed users > > > > against the OpenLDAP server. > > > > > > > > Example: > > > > getent passwd | wc -l > > > > 1038 > > > > > > > > getent passwd | wc -l > > > > 1624 > > > > > > > > Does anyone know what can be faulty, either on the clients or the > > > > server? > > > > > > > > -- > > > > Thx > > > > Jocke > > > > > > Did those results occur on the same client, or are those results > > > from two different clients? > > > > > > If two different clients are returning different results, I'd > > > compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. > > > It could be that one has a different filter criteria than the > > > other. Or, if you've recently upgraded your LDAP servers, one > > > client could still be point to an old LDAP server that doesn't have > > > new entries. > > > > > > Try using the ldapsearch command with the same search criteria and > > > see if you get the same results. I would use the -h or -H switch to > > > make sure you are using the server you think you are using (change > > > specifics accordingly) > > > > > > ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com > > > "objectClass=posixAccount" dn > > > > > > -- > > > Prentice > > Ralf > -- Mvh Jocke
