1 |
On Mon, Oct 22, 2007 at 09:56:59PM +0200, Bertram Scharpf wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann: |
5 |
> > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: |
6 |
> > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow |
7 |
> > > information for ldap via nss_ldap. |
8 |
> > |
9 |
> > Yes, it does. Therefore, use something like the following line in |
10 |
> > /etc/ldap.conf: |
11 |
> > |
12 |
> > nss_initgroups_ignoreusers root,ldap,cron,portage |
13 |
> |
14 |
> Ah, I did not know this yet. I see the problem in whole is |
15 |
> more complicated. |
16 |
> |
17 |
> Even though Alec enters caveats I will use the ignore |
18 |
> solution for now. What was troubling me was that I didn't |
19 |
> know what was going on at all. |
20 |
I was busy with other things, so I didn't get to this. |
21 |
|
22 |
It's not unique to Gentoo, but rather it is more apparent on Gentoo |
23 |
because of how users do things. |
24 |
|
25 |
The RHEL documentation on LDAP server (mind you, I last read it before |
26 |
they did their own Fedora Directory Server) had big warnings about not |
27 |
using nss_ldap on the machine that housed your slapd. |
28 |
|
29 |
Secondly, the glibc NSS lookup for a numeric UID has a nasty bit in it: |
30 |
for S in NSS-sources: |
31 |
lookup for U in the numeric column |
32 |
if found, return. |
33 |
lookup for U in the key column (pw_name) |
34 |
if found, return. |
35 |
|
36 |
Doing the U is member of groups lookup is even worse, since it doesn't |
37 |
break out of the look as soon as possible (hence why the |
38 |
initgroups_ignoreusers setting is important). |
39 |
|
40 |
Now if you are doing a lookup for a non-existent numeric UID, this means |
41 |
that you hit the files backend twice, and the LDAP backend twice. |
42 |
|
43 |
If slapd is not available (either because it is local and not started |
44 |
yet, OR because networking is not available yet), the LDAP lookups will |
45 |
time out. The Gentoo stock /etc/ldap.conf that powers nss_ldap has |
46 |
settings to try to minimize the cost of the timeouts, that uses a |
47 |
timeout of 15 seconds per lookup. |
48 |
|
49 |
I discussed this previously with Uberlord, I can't recall the bug #. |
50 |
The net of it is that _every_ UID and GID used (and yes, even doing an |
51 |
ls can hit them!) must be present in the core system data, or it the |
52 |
timeout penalty must be paid for each lookup. |
53 |
|
54 |
It's easy to fall foul of this. Somewhere around, there was a NSS module |
55 |
that just logged every lookup instead of performing them, and it is |
56 |
astounding how many lookups take place during boot. |
57 |
|
58 |
-- |
59 |
Robin Hugh Johnson |
60 |
Gentoo Linux Developer & Infra Guy |
61 |
E-Mail : robbat2@g.o |
62 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |