[CentOS] openldap and nscd

Wed May 20 09:33:32 UTC 2009
Manuel Monteiro <Manuel.Monteiro at astro.up.pt>

Hi,

I applied all these suggestions and here's what happened:
- during boot it took a couple of minutes in "Applying ipv6tables firewall
rules:"
- sometimes it still fails to find a user
-----
May 19 23:03:33 mail postfix/local[26628]: 2E28F7686AE:
to=<xxxxx at astro.up.pt>, relay=local, delay=0.03, delays=0.01/0/0/0.02, d
sn=5.1.1, status=bounced (user unknown. Command output: procmail: Unknown
user "xxxxx" )
-----

Other suggestions?

Thanks.

Manuel




-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of Filipe Brandenburger
Sent: sexta-feira, 15 de Maio de 2009 19:57
To: CentOS mailing list
Subject: Re: [CentOS] openldap and nscd

Hi,

On Fri, May 15, 2009 at 12:52, Manuel Monteiro
<Manuel.Monteiro at astro.up.pt> wrote:
>> # Reconnect policy: hard (default) will retry connecting to
>> # the software with exponential backoff, soft will fail
>> # immediately.
>> #bind_policy hard
>
> As far as I remember we are using soft because system would take to long
> to boot trying to connect to LDAP, but I'll try this over the weekend
> with less users around!

You can add some local users that will not belong to LDAP groups to
the ignore list, that will probably fix most of your problems during
bootup before the network is up:

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

In the past I have had problems with OpenLDAP not being able to get
new connections because of the open file descriptors limit (of 1024)
being reached, so it was not able to create new sockets. IIRC, the
message on the logs was clear in that sense, saying the limit had been
reached. To increase the number of file descriptors I added this line
to /etc/sysconfig/ldap:

ulimit -n 8192

If you are reaching the file descriptor limit, it may also mean that
you do not have enough threads to work on the requests. You may
increase that number. I have in my /etc/openldap/slapd.conf:

threads 64

When I start it up, it gives me a warning that this is larger than 32
which they think should be enough for anyone, but I guess that number
is pretty outdated considering today's hardware. Anyway, I'd rather
have too many and have a small overhead for the task switching than
having too few and not being able to cope with a burst.

> Meanwhile I'm also getting some authentication problems with IMAP server
> (dovecot)... the only service that I didn't find any failure was with
> SSH, but it's only used occasionally.

Since I introduced the changes above my problems with OpenLDAP stopped
completely. I even implemented LDAP over SSL for all connections
(including user/group lookup) after that and had no noticeable
performance issues due to the overhead.

HTH,
Filipe
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos