| 1 |
On Mon, Oct 22, 2007 at 09:56:59PM +0200, Bertram Scharpf wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann: |
| 5 |
> > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: |
| 6 |
> > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow |
| 7 |
> > > information for ldap via nss_ldap. |
| 8 |
> > |
| 9 |
> > Yes, it does. Therefore, use something like the following line in |
| 10 |
> > /etc/ldap.conf: |
| 11 |
> > |
| 12 |
> > nss_initgroups_ignoreusers root,ldap,cron,portage |
| 13 |
> |
| 14 |
> Ah, I did not know this yet. I see the problem in whole is |
| 15 |
> more complicated. |
| 16 |
> |
| 17 |
> Even though Alec enters caveats I will use the ignore |
| 18 |
> solution for now. What was troubling me was that I didn't |
| 19 |
> know what was going on at all. |
| 20 |
I was busy with other things, so I didn't get to this. |
| 21 |
|
| 22 |
It's not unique to Gentoo, but rather it is more apparent on Gentoo |
| 23 |
because of how users do things. |
| 24 |
|
| 25 |
The RHEL documentation on LDAP server (mind you, I last read it before |
| 26 |
they did their own Fedora Directory Server) had big warnings about not |
| 27 |
using nss_ldap on the machine that housed your slapd. |
| 28 |
|
| 29 |
Secondly, the glibc NSS lookup for a numeric UID has a nasty bit in it: |
| 30 |
for S in NSS-sources: |
| 31 |
lookup for U in the numeric column |
| 32 |
if found, return. |
| 33 |
lookup for U in the key column (pw_name) |
| 34 |
if found, return. |
| 35 |
|
| 36 |
Doing the U is member of groups lookup is even worse, since it doesn't |
| 37 |
break out of the look as soon as possible (hence why the |
| 38 |
initgroups_ignoreusers setting is important). |
| 39 |
|
| 40 |
Now if you are doing a lookup for a non-existent numeric UID, this means |
| 41 |
that you hit the files backend twice, and the LDAP backend twice. |
| 42 |
|
| 43 |
If slapd is not available (either because it is local and not started |
| 44 |
yet, OR because networking is not available yet), the LDAP lookups will |
| 45 |
time out. The Gentoo stock /etc/ldap.conf that powers nss_ldap has |
| 46 |
settings to try to minimize the cost of the timeouts, that uses a |
| 47 |
timeout of 15 seconds per lookup. |
| 48 |
|
| 49 |
I discussed this previously with Uberlord, I can't recall the bug #. |
| 50 |
The net of it is that _every_ UID and GID used (and yes, even doing an |
| 51 |
ls can hit them!) must be present in the core system data, or it the |
| 52 |
timeout penalty must be paid for each lookup. |
| 53 |
|
| 54 |
It's easy to fall foul of this. Somewhere around, there was a NSS module |
| 55 |
that just logged every lookup instead of performing them, and it is |
| 56 |
astounding how many lookups take place during boot. |
| 57 |
|
| 58 |
-- |
| 59 |
Robin Hugh Johnson |
| 60 |
Gentoo Linux Developer & Infra Guy |
| 61 |
E-Mail : robbat2@g.o |
| 62 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives