Bug#500479: 'id' hangs forever: libnss-ldap getting whole tree instead of ldap search for group.

2013-08-31 Thread Arthur de Jong 
Control: tags -1 + moreinfo
Control: severity -1 normal

On Sun, 2008-09-28 at 11:51 -0700, Richard A Nelson wrote:
 You don't show you /etc/libnss-ldap.conf - does it actually have
 any filters enabled?

Can you still reproduce this problem? If so, can you provide
your /etc/libnss-ldap.conf?

The problem is probably a configuration issue.

Thanks,

-- 
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --


signature.asc
Description: This is a digitally signed message part

Bug#500479: 'id' hangs forever: libnss-ldap getting whole tree instead of ldap search for group.

2008-09-28 Thread Olaf Schulz 
Package: libnss-ldap
Version: 261-2
Severity: important


'id' will hang forever when if not setting sizelimit 2048 in the ldap
server config.

This happens even if ldapserver2 has a bigger 'sizelimit' parameter
which would not block 'id'.

For the reason behind this behaviour I found that libnss-ldap asked the
ldap server for the whole bunch of passwd and group entries instead of
doing a smart ldap search.

As our ldap userbase has more than 512 entries, I had to increas the
  sizelimit Parameter on the server as a workaround.

Via tcpdump I found that the client sent a
  LDAPMessage searchRequest(2) ou=user,dc=in-berlin,dc=de wholeSubtree
instead of doing a search.
I expected it doing a search like

ldapsearch ... 'uid=..' and
ldapsearch ... '((objectClass=posixGroup)(memberUid=...))' gidNumber,gidName 
for group memberships.

Please correct me if I'm wrong, but I cannot expect that getting the
whole table would be a reasonable approach for a larger user database.

I verified that the used ldap server is working.

from /etc/nsswitch.conf:
passwd: files ldap
group:  files ldap
shadow: files ldap

regards
Olaf

The contents of
-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]1.5.22  Debian configuration management sy
ii  libc62.7-10  GNU C Library: Shared libraries
ii  libcomerr2   1.40.8-2common error description library
ii  libkrb53 1.6.dfsg.3-2MIT Kerberos runtime libraries
ii  libldap-2.4-22.4.7-6.3+b1OpenLDAP libraries
ii  libsasl2-2   2.1.22.dfsg1-20 Cyrus SASL - authentication abstra

Versions of packages libnss-ldap recommends:
ii  libpam-ldap   184-4  Pluggable Authentication Module al
ii  nscd  2.7-12 GNU C Library: Name Service Cache 

libnss-ldap suggests no packages.

-- debconf information:
* libnss-ldap/dblogin: false
* libnss-ldap/override: true
* shared/ldapns/base-dn: ou=user,dc=in-berlin,dc=de
* libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net
* shared/ldapns/ldap_version: 3
  libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
* shared/ldapns/ldap-server: ldap://ldapserver1/ ldap://ldapserver2/
* libnss-ldap/nsswitch:
* libnss-ldap/confperm: false
* libnss-ldap/dbrootlogin: false



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500479: 'id' hangs forever: libnss-ldap getting whole tree instead of ldap search for group.

2008-09-28 Thread Richard A Nelson 

On Sun, 28 Sep 2008, Olaf Schulz wrote:


'id' will hang forever when if not setting sizelimit 2048 in the ldap
server config.


Odd, something is likely amiss in your setup



For the reason behind this behaviour I found that libnss-ldap asked the
ldap server for the whole bunch of passwd and group entries instead of
doing a smart ldap search.


You don't show you /etc/libnss-ldap.conf - does it actually have
any filters enabled?


As our ldap userbase has more than 512 entries, I had to increas the
 sizelimit Parameter on the server as a workaround.

Via tcpdump I found that the client sent a
 LDAPMessage searchRequest(2) ou=user,dc=in-berlin,dc=de wholeSubtree
instead of doing a search.
I expected it doing a search like


You have to tell it what filters and base to use


ldapsearch ... 'uid=..' and
ldapsearch ... '((objectClass=posixGroup)(memberUid=...))' gidNumber,gidName 
for group memberships.

Please correct me if I'm wrong, but I cannot expect that getting the
whole table would be a reasonable approach for a larger user database.

I verified that the used ldap server is working.

from /etc/nsswitch.conf:
passwd: files ldap
group:  files ldap
shadow: files ldap


You configuration likely has issues, but still, you're likely to be
happier if you move to libnss-ldapd; it is less resource intensive



regards
Olaf


Good luck,
--
Rick



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]