Package: libnss-ldap
Version: 261-2
Severity: important
'id' will hang forever when if not setting sizelimit 2048 in the ldap
server config.
This happens even if ldapserver2 has a bigger 'sizelimit' parameter
which would not block 'id'.
For the reason behind this behaviour I found that libnss-ldap asked the
ldap server for the whole bunch of passwd and group entries instead of
doing a smart ldap search.
As our ldap userbase has more than 512 entries, I had to increas the
sizelimit Parameter on the server as a workaround.
Via tcpdump I found that the client sent a
LDAPMessage searchRequest(2) ou=user,dc=in-berlin,dc=de wholeSubtree
instead of doing a search.
I expected it doing a search like
ldapsearch ... 'uid=..' and
ldapsearch ... '((objectClass=posixGroup)(memberUid=...))' gidNumber,gidName
for group memberships.
Please correct me if I'm wrong, but I cannot expect that getting the
whole table would be a reasonable approach for a larger user database.
I verified that the used ldap server is working.
from /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
regards
Olaf
The contents of
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldap depends on:
ii debconf [debconf-2.0]1.5.22 Debian configuration management sy
ii libc62.7-10 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2common error description library
ii libkrb53 1.6.dfsg.3-2MIT Kerberos runtime libraries
ii libldap-2.4-22.4.7-6.3+b1OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-20 Cyrus SASL - authentication abstra
Versions of packages libnss-ldap recommends:
ii libpam-ldap 184-4 Pluggable Authentication Module al
ii nscd 2.7-12 GNU C Library: Name Service Cache
libnss-ldap suggests no packages.
-- debconf information:
* libnss-ldap/dblogin: false
* libnss-ldap/override: true
* shared/ldapns/base-dn: ou=user,dc=in-berlin,dc=de
* libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net
* shared/ldapns/ldap_version: 3
libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
* shared/ldapns/ldap-server: ldap://ldapserver1/ ldap://ldapserver2/
* libnss-ldap/nsswitch:
* libnss-ldap/confperm: false
* libnss-ldap/dbrootlogin: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]