[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sometimes getent missing users



Hi,

Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
> Hi,
> 
> I did use the ldapsearch and here is what I found out
> 
> ldapsearch "ldapserver" returned 1586 users
> /etc/passwd has 38 users
> 
> nsswitch.conf
> passwd:     files ldap
> 
> So sometimes I assume getent returns files (38) + ldap (1586) = 1624
> 
> But mostly getent only returns 1038
> 
> Sizelimit on the ldap server is set to 5000
> 
> Can it be that sometimes only 1000 users gets returned from the getent
> ldap search? And if so, why?
This is just a wild guess, but IIRC, 1000 is the default page size when 
nss_ldap is configured to use the LDAP paging control. Problably the 
nss_ldap Version or your server has problems processing this control, 
IIRC there have been some problems with paged results in nss_ldap in the 
past. Please test what happens if you use "nss_paged_results no" in your 
nss_ldap config (hopefully you nss_ldap is recent enough to have that 
option).

> /Jocke
> 
> On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal <prentice@ias.edu> 
wrote:
> > Jocke M wrote:
> > > Hello,
> > > 
> > > We are running an OpenLDAP server on RHEL4 and I just found out
> > > that running getent on the RHEL clients sometimes missed users
> > > against the OpenLDAP server.
> > > 
> > > Example:
> > > getent passwd | wc -l
> > > 1038
> > > 
> > > getent passwd | wc -l
> > > 1624
> > > 
> > > Does anyone know what can be faulty, either on the clients or the
> > > server?
> > > 
> > > --
> > > Thx
> > > Jocke
> > 
> > Did those results occur on the same client, or are those results
> > from two different clients?
> > 
> > If two different clients are returning different results, I'd
> > compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first.
> > It could be that one has a different filter criteria than the
> > other. Or, if you've recently upgraded your LDAP servers, one
> > client could still be point to an old LDAP server that doesn't have
> > new entries.
> > 
> > Try using the ldapsearch command with the same search criteria and
> > see if you get the same results. I would use the -h or -H switch to
> > make sure you are using the server you think you are using (change
> > specifics accordingly)
> > 
> > ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com
> > "objectClass=posixAccount" dn
> > 
> > --
> > Prentice

Ralf