[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sometimes getent missing users

Hi,

It was not a wild guess. As soon as I added the value "nss_paged_results no" it worked.
Now getent always returns 1624 users.

Thank you

/Jocke

On Wed, Oct 20, 2010 at 11:11, Ralf Haferkamp <rhafer@suse.de> wrote:
Hi,

Am Mittwoch 20 Oktober 2010, 08:33:32 schrieb Jocke M:
> Hi,
>
> I did use the ldapsearch and here is what I found out
>
> ldapsearch "ldapserver" returned 1586 users
> /etc/passwd has 38 users
>
> nsswitch.conf
> passwd:     files ldap
>
> So sometimes I assume getent returns files (38) + ldap (1586) = 1624
>
> But mostly getent only returns 1038
>
> Sizelimit on the ldap server is set to 5000
>
> Can it be that sometimes only 1000 users gets returned from the getent
> ldap search? And if so, why?
This is just a wild guess, but IIRC, 1000 is the default page size when
nss_ldap is configured to use the LDAP paging control. Problably the
nss_ldap Version or your server has problems processing this control,
IIRC there have been some problems with paged results in nss_ldap in the
past. Please test what happens if you use "nss_paged_results no" in your
nss_ldap config (hopefully you nss_ldap is recent enough to have that
option).

> /Jocke
>
> On Tue, Oct 19, 2010 at 14:55, Prentice Bisbal <prentice@ias.edu>
wrote:
> > Jocke M wrote:
> > > Hello,
> > >
> > > We are running an OpenLDAP server on RHEL4 and I just found out
> > > that running getent on the RHEL clients sometimes missed users
> > > against the OpenLDAP server.
> > >
> > > Example:
> > > getent passwd | wc -l
> > > 1038
> > >
> > > getent passwd | wc -l
> > > 1624
> > >
> > > Does anyone know what can be faulty, either on the clients or the
> > > server?
> > >
> > > --
> > > Thx
> > > Jocke
> >
> > Did those results occur on the same client, or are those results
> > from two different clients?
> >
> > If two different clients are returning different results, I'd
> > compare the /etc/ldap.conf and /etc/openldap/ldap.conf files first.
> > It could be that one has a different filter criteria than the
> > other. Or, if you've recently upgraded your LDAP servers, one
> > client could still be point to an old LDAP server that doesn't have
> > new entries.
> >
> > Try using the ldapsearch command with the same search criteria and
> > see if you get the same results. I would use the -h or -H switch to
> > make sure you are using the server you think you are using (change
> > specifics accordingly)
> >
> > ldapsearch -LLL -h yourldapserver.example.com -b dc=example,dc=com
> > "objectClass=posixAccount" dn
> >
> > --
> > Prentice

Ralf



--
Mvh
Jocke