Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
Hello,
are you using any sort of caching like nscd? You may try to check if that's happening when caching is disabled.
Bye, Benjamin.
On Mon, Oct 18, 2010 at 15:18, Jocke M jocke.martensson@gmail.com wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
В Пнд, 18/10/2010 в 15:18 +0200, Jocke M пишет:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
Probably nscd is running and caching requests for some period.
Hi,
I thought so to but even if I turned nscd off I still have the same issue.
[root@xxxx ~]# /etc/init.d/nscd stop Stopping nscd: [ OK ] [root@xxxx ~]# getent passwd | wc -l 1038 [root@xxxx ~]# getent passwd | wc -l 1624 [root@xxxx ~]# getent passwd | wc -l 1038
The longer list of users (1624) only returns 1 time in what it seams at random times.
/Jocke
2010/10/19 Покотиленко Костик casper@meteor.dp.ua
В Пнд, 18/10/2010 в 15:18 +0200, Jocke M пишет:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
Probably nscd is running and caching requests for some period.
-- Покотиленко Костик casper@meteor.dp.ua
Ok, that seems weird. Try to pipe the outputs of each in a file and diff them to each other. Maybe you see from the content why that is happening.
Bye.
On Tue, Oct 19, 2010 at 09:48, Jocke M jocke.martensson@gmail.com wrote:
Hi,
I thought so to but even if I turned nscd off I still have the same issue.
[root@xxxx ~]# /etc/init.d/nscd stop Stopping nscd: [ OK ] [root@xxxx ~]# getent passwd | wc -l 1038 [root@xxxx ~]# getent passwd | wc -l 1624 [root@xxxx ~]# getent passwd | wc -l 1038
The longer list of users (1624) only returns 1 time in what it seams at random times.
/Jocke
2010/10/19 Покотиленко Костик casper@meteor.dp.ua
В Пнд, 18/10/2010 в 15:18 +0200, Jocke M пишет:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
Probably nscd is running and caching requests for some period.
-- Покотиленко Костик casper@meteor.dp.ua
-- Mvh Jocke
Le 18/10/2010 15:18, Jocke M a écrit :
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
What results do you get when running a similar search manually from the clients, via ldapsearch?
Any error or warning messages in the slapd logs?
Jonathan
Jocke M wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
Did those results occur on the same client, or are those results from two different clients?
If two different clients are returning different results, I'd compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. It could be that one has a different filter criteria than the other. Or, if you've recently upgraded your LDAP servers, one client could still be point to an old LDAP server that doesn't have new entries.
Try using the ldapsearch command with the same search criteria and see if you get the same results. I would use the -h or -H switch to make sure you are using the server you think you are using (change specifics accordingly)
ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com "objectClass=posixAccount" dn
Hi,
I did use the ldapsearch and here is what I found out
ldapsearch "ldapserver" returned 1586 users /etc/passwd has 38 users
nsswitch.conf passwd: files ldap
So sometimes I assume getent returns files (38) + ldap (1586) = 1624
But mostly getent only returns 1038
Sizelimit on the ldap server is set to 5000
Can it be that sometimes only 1000 users gets returned from the getent ldap search? And if so, why?
/Jocke
On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal prentice@ias.edu wrote:
Jocke M wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
Did those results occur on the same client, or are those results from two different clients?
If two different clients are returning different results, I'd compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. It could be that one has a different filter criteria than the other. Or, if you've recently upgraded your LDAP servers, one client could still be point to an old LDAP server that doesn't have new entries.
Try using the ldapsearch command with the same search criteria and see if you get the same results. I would use the -h or -H switch to make sure you are using the server you think you are using (change specifics accordingly)
ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com "objectClass=posixAccount" dn
-- Prentice
Hi,
Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
Hi,
I did use the ldapsearch and here is what I found out
ldapsearch "ldapserver" returned 1586 users /etc/passwd has 38 users
nsswitch.conf passwd: files ldap
So sometimes I assume getent returns files (38) + ldap (1586) = 1624
But mostly getent only returns 1038
Sizelimit on the ldap server is set to 5000
Can it be that sometimes only 1000 users gets returned from the getent ldap search? And if so, why?
This is just a wild guess, but IIRC, 1000 is the default page size when nss_ldap is configured to use the LDAP paging control. Problably the nss_ldap Version or your server has problems processing this control, IIRC there have been some problems with paged results in nss_ldap in the past. Please test what happens if you use "nss_paged_results no" in your nss_ldap config (hopefully you nss_ldap is recent enough to have that option).
/Jocke
On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal prentice@ias.edu
wrote:
Jocke M wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
Did those results occur on the same client, or are those results from two different clients?
If two different clients are returning different results, I'd compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. It could be that one has a different filter criteria than the other. Or, if you've recently upgraded your LDAP servers, one client could still be point to an old LDAP server that doesn't have new entries.
Try using the ldapsearch command with the same search criteria and see if you get the same results. I would use the -h or -H switch to make sure you are using the server you think you are using (change specifics accordingly)
ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com "objectClass=posixAccount" dn
-- Prentice
Ralf
Hi,
It was not a wild guess. As soon as I added the value "nss_paged_results no" it worked. Now getent always returns 1624 users.
Thank you
/Jocke
On Wed, Oct 20, 2010 at 11:11, Ralf Haferkamp rhafer@suse.de wrote:
Hi,
Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
Hi,
I did use the ldapsearch and here is what I found out
ldapsearch "ldapserver" returned 1586 users /etc/passwd has 38 users
nsswitch.conf passwd: files ldap
So sometimes I assume getent returns files (38) + ldap (1586) = 1624
But mostly getent only returns 1038
Sizelimit on the ldap server is set to 5000
Can it be that sometimes only 1000 users gets returned from the getent ldap search? And if so, why?
This is just a wild guess, but IIRC, 1000 is the default page size when nss_ldap is configured to use the LDAP paging control. Problably the nss_ldap Version or your server has problems processing this control, IIRC there have been some problems with paged results in nss_ldap in the past. Please test what happens if you use "nss_paged_results no" in your nss_ldap config (hopefully you nss_ldap is recent enough to have that option).
/Jocke
On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal prentice@ias.edu
wrote:
Jocke M wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
Did those results occur on the same client, or are those results from two different clients?
If two different clients are returning different results, I'd compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. It could be that one has a different filter criteria than the other. Or, if you've recently upgraded your LDAP servers, one client could still be point to an old LDAP server that doesn't have new entries.
Try using the ldapsearch command with the same search criteria and see if you get the same results. I would use the -h or -H switch to make sure you are using the server you think you are using (change specifics accordingly)
ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com "objectClass=posixAccount" dn
-- Prentice
Ralf
Hi, does paging in this context refer to a caching mechanism? Even the man pages says paging, could be paging like less/more. :)
Bye.
On Wed, Oct 20, 2010 at 11:56, Jocke M jocke.martensson@gmail.com wrote:
Hi,
It was not a wild guess. As soon as I added the value "nss_paged_results no" it worked. Now getent always returns 1624 users.
Thank you
/Jocke
On Wed, Oct 20, 2010 at 11:11, Ralf Haferkamp rhafer@suse.de wrote:
Hi,
Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
Hi,
I did use the ldapsearch and here is what I found out
ldapsearch "ldapserver" returned 1586 users /etc/passwd has 38 users
nsswitch.conf passwd: files ldap
So sometimes I assume getent returns files (38) + ldap (1586) = 1624
But mostly getent only returns 1038
Sizelimit on the ldap server is set to 5000
Can it be that sometimes only 1000 users gets returned from the getent ldap search? And if so, why?
This is just a wild guess, but IIRC, 1000 is the default page size when nss_ldap is configured to use the LDAP paging control. Problably the nss_ldap Version or your server has problems processing this control, IIRC there have been some problems with paged results in nss_ldap in the past. Please test what happens if you use "nss_paged_results no" in your nss_ldap config (hopefully you nss_ldap is recent enough to have that option).
/Jocke
On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal prentice@ias.edu
wrote:
Jocke M wrote:
Hello,
We are running an OpenLDAP server on RHEL4 and I just found out that running getent on the RHEL clients sometimes missed users against the OpenLDAP server.
Example: getent passwd | wc -l 1038
getent passwd | wc -l 1624
Does anyone know what can be faulty, either on the clients or the server?
-- Thx Jocke
Did those results occur on the same client, or are those results from two different clients?
If two different clients are returning different results, I'd compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first. It could be that one has a different filter criteria than the other. Or, if you've recently upgraded your LDAP servers, one client could still be point to an old LDAP server that doesn't have new entries.
Try using the ldapsearch command with the same search criteria and see if you get the same results. I would use the -h or -H switch to make sure you are using the server you think you are using (change specifics accordingly)
ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com "objectClass=posixAccount" dn
-- Prentice
Ralf
-- Mvh Jocke
Le 20/10/2010 12:42, Benjamin Griese a écrit :
Hi, does paging in this context refer to a caching mechanism? Even the man pages says paging, could be paging like less/more. :)
"Paging" is getting search results page by page. Using a page size of 1000, an LDAP client would request a search, and receive the first 1000 results, and a "cookie". After having handled the first 1000 results, the LDAP client can then contact the server again, sending the cookie, and will then receive the next 1000 results, and so on.
You could compare it to using MySQL's "LIMIT" keyword in SQL requests, if that means anything to you.
That's the short and simple version, the full version is RFC 2696: http://tools.ietf.org/html/rfc2696
Jonathan
openldap-technical@openldap.org
-
Benjamin Griese -
Jocke M -
Jonathan CLARKE -
Prentice Bisbal -
Ralf Haferkamp -
Покотиленко Костик