The LDAP code is much more sophisticated that it once was,
especially as it applies to the management of connections and
LDAP server connection failure situations.
If LDAP naming is enabled, and access to a server is unavailable
the system is expected to respond properly and not hang on lookups.
Doug.
On 07/30/10 05:47 PM, Jason wrote:
Not only configurable, but tunable as well -- you can configure how
many times it tries to query a backend, and what to do based on the
result from the backend.
I'd need to check the nss_ldap code, but last time I looked (which was
a _long_ time ago, so very possible it changed, especially since I
believe I filed an RFE on this years ago), the ldap backend would
never return an 'unavailable' code, only a result or 'try again'. By
default, the nss front end will retry the backend forever when it gets
a 'tryagain' result. I found it to have some 'interesting' side
effects. If the ldap server was bogged down, obviously lookups would
be slow, which was bad for clustering software that was doing 'su -
user -c cmd' (even if the account was local, su has to call
getgroups(2) which in turn will have to check all backends for the
group database). The cluster software would think the service had
timed out and cause a failover!.
The workaround was to set a fixed number of attempts when querying a
backend, and then failing it (via nsswitch.conf configuration).
On Fri, Jul 30, 2010 at 5:35 PM, Scott Rotondo<[email protected]> wrote:
On 07/30/10 12:44 PM, David Brodbeck wrote:
This *can* be worked around by making sure every machine has a valid
local user with access to the root role -- sort of. pfexec becomes
extremely slow if you have incorrectly configured LDAP -- as in
several minutes of waiting to run a single command. I suspect it
tries to look up userIDs via LDAP first and has a long timeout. Best
to su to root in that situation.
Have a look at /etc/nsswitch.conf. The search order is configurable.
Scott
--
Scott Rotondo
Senior Principal Engineer, Solaris Core OS Engineering
President, Trusted Computing Group
Phone: +1 650 786 6309 (Internal x86309)
_______________________________________________
opensolaris-discuss mailing list
[email protected]
_______________________________________________
opensolaris-discuss mailing list
[email protected]
_______________________________________________
opensolaris-discuss mailing list
[email protected]
