[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Entries in LDAP dir seem to sporadically become unreadable
Hi all,
I'm using OpenLDAP ver 2.2.23-1 on Debian Linux as a means for providing
PAM authentication across multiple machines, as well as providing a
central repository of email addresses, aliases and mail lists for postfix.
This machine has been upgraded from our previously unproblematic version
of OpenLDAP, version 2.0.23-6.3.
What I'm finding is that sporadically our MTA (postfix) will not be able
to find a given entry in the directory, or that NS on one of the servers
will not be able to correctly resolve group or user id's. There doesn't
seem to be any rhyme or reason to the pattern of the occurence (and it's
not overly frequent, once a week or so at the moment), it just seems to
happen. No errors in the logs, no strange updates in the logs either.
The machines that access the directory range in configuration from 2.4
kernels to 2.6 kernels, some are sync'd against the latest sarge
packages, others are a few months old (all display the same lookup
behaviour once an entry goes bad).
When it happens, I'm able to use ldapsearch to view the entry in this way :
ldapsearch -x groupEMail=foo
but if I do this :
ldapsearch -x -b "ou=GroupEMail,dc=my,dc=domain,dc=com"
"(&(objectclass=MailGroup)(groupEMail=foo))
I get no valid matches.
I can also correctly see the entry and all its details using a tool such
as GQ.
If I rename the existing entry to something else, create a new entry and
give it all the same details as the renamed entry and save it,
everything goes back to working again - so it doesn't seem like a
configuration issue to me.
Even stranger is that once I have two entries that are identical but for
name (ie the old one and the new one) I see the following behaviour :
This (to search for the new entry) :
ldapsearch -x -b "ou=GroupEMail,dc=my,dc=domain,dc=com"
"(&(objectclass=MailGroup)(groupEMail=foo))
gets me a successful match, but the same query for the old entry (except
of course to change foo to foo-old) gets no successful matches.
The infrastructure that surrounds the LDAP directory has not changed at
all, so I am only left to consider that something has changed with the
OpenLDAP daemon. It sort of seems like a possible data corruption, but
the ability to query it successfully under some circumstances makes it
seem unlikely.
Any advice that can be offered on the problem, or how I might be able to
chase it down is VERY appreciated ;-)
Cheers
Dave