Hi I have configured a machine to authenticate against LDAP. When I log onto the box using the newly created user I see a LDAP search request for every user that exist in the directory. If I have only 20 users even a 100 that is not a problem but when I start going to 10000 users I start getting some weird errors and timeouts because of the time it takes to download the data to the client.
I have tested this against 389 Directory Server and OpenLDAP and both give the same behaviour described above.
I have tried adding a nss_base directives in /etc/ldap.conf but it has had no effect.
my /etc/ldap.conf:
binddn uid=SysAuth,ou=Service Accounts,dc=mycompany bindpw secret pam_password clear base dc=betfair nss_base_passwd ou=people,dc=mycompany?sub nss_base_group ou=Groups,dc=mycompany?sub nss_base_group ou=PrivateGroups,dc=mycompany?sub nss_base_group ou=SystemGroups,dc=mycompany?sub
sizelimit 1000 idle_timelimit 5 timelimit 10 bind_timelimit 5 nss_reconnect_tries 1 nss_reconnect_maxconntries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1
I have also played around with various debug levels in /etc/ldap.conf but I have not really been succesfull in matching requests I see there to requests I see in wireshark. The man page in centos (man pam_ldap and nss_ldap ) also does not make any mention of available log levels or what they do. I have also scanned the source code for some more info on log levels but did not find anything usefull. If it is in the source code then please point me to it.
I have gone through the pam list logs and the closest I could find was the following thread: https://www.redhat.com/archives/pam-list/2009-September/thread.html and a similar thread in December 2010. This threads although similar is related to groups and my problem is with every user being queried.
I am fairly certain (hopeful at least) that is a config error on my part but I have not been able to find that error yet and would welcome any assistance in finding the problem.
My system-auth in /etc/pam.d/ looks as follows:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
Using CentOS release 5.4 on the client and 5.5 on the server but I see the same result if the server is on 5.4.
Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
On Tue, 26 Oct 2010, Gerrard Geldenhuis wrote:
nss_base_passwd ou=people,dc=mycompany?sub nss_base_group ou=Groups,dc=mycompany?sub nss_base_group ou=PrivateGroups,dc=mycompany?sub nss_base_group ou=SystemGroups,dc=mycompany?sub
Try replacing "?sub" with "?one".
Steve ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,300 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------
From: centos-bounces@centos.org [centos-bounces@centos.org] on behalf of Steve Thompson [smt@vgersoft.com] Sent: 26 October 2010 18:56 To: CentOS mailing list Subject: Re: [CentOS] Every user in LDAP queried when one user logs on.
On Tue, 26 Oct 2010, Gerrard Geldenhuis wrote:
nss_base_passwd ou=people,dc=mycompany?sub nss_base_group ou=Groups,dc=mycompany?sub nss_base_group ou=PrivateGroups,dc=mycompany?sub nss_base_group ou=SystemGroups,dc=mycompany?sub
Try replacing "?sub" with "?one".
Steve
Thanks Steve, I have tried that before but failed to mention it in the email. It makes no difference whatsoever. Since the tree does not go deeper than ou=people,dc=company sub in this instance is one.
Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________