Hi,
It was not a wild guess. As soon as I added the value "nss_paged_results no" it worked.
Now getent always returns 1624 users.
Thank you
/Jocke
Hi,
Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
> Hi,This is just a wild guess, but IIRC, 1000 is the default page size when
>
> I did use the ldapsearch and here is what I found out
>
> ldapsearch "ldapserver" returned 1586 users
> /etc/passwd has 38 users
>
> nsswitch.conf
> passwd: files ldap
>
> So sometimes I assume getent returns files (38) + ldap (1586) = 1624
>
> But mostly getent only returns 1038
>
> Sizelimit on the ldap server is set to 5000
>
> Can it be that sometimes only 1000 users gets returned from the getent
> ldap search? And if so, why?
nss_ldap is configured to use the LDAP paging control. Problably the
nss_ldap Version or your server has problems processing this control,
IIRC there have been some problems with paged results in nss_ldap in the
past. Please test what happens if you use "nss_paged_results no" in your
nss_ldap config (hopefully you nss_ldap is recent enough to have that
option).
Ralf
> /Jocke
>
> On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal <prentice@ias.edu>
wrote:
> > Jocke M wrote:
> > > Hello,
> > >
> > > We are running an OpenLDAP server on RHEL4 and I just found out
> > > that running getent on the RHEL clients sometimes missed users
> > > against the OpenLDAP server.
> > >
> > > Example:
> > > getent passwd | wc -l
> > > 1038
> > >
> > > getent passwd | wc -l
> > > 1624
> > >
> > > Does anyone know what can be faulty, either on the clients or the
> > > server?
> > >
> > > --
> > > Thx
> > > Jocke
> >
> > Did those results occur on the same client, or are those results
> > from two different clients?
> >
> > If two different clients are returning different results, I'd
> > compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first.
> > It could be that one has a different filter criteria than the
> > other. Or, if you've recently upgraded your LDAP servers, one
> > client could still be point to an old LDAP server that doesn't have
> > new entries.
> >
> > Try using the ldapsearch command with the same search criteria and
> > see if you get the same results. I would use the -h or -H switch to
> > make sure you are using the server you think you are using (change
> > specifics accordingly)
> >
> > ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com
> > "objectClass=posixAccount" dn
> >
> > --
> > Prentice