Re: Naming service daemon check is extremely chatty
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Naming service daemon check is extremely chatty
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Naming service daemon check is extremely chatty
- Date: Sun, 28 Sep 2014 17:20:50 +0200
On Fri, 2014-08-15 at 01:34 -0400, Subu Ayyagari wrote:
> We are using the daemon check ( nslcd -c ) to monitor the service.
>
> But what we find is this is extremely chatty. It actually queries
> every account and returns success in the end.
The nslcd -c option should only check all local accounts when using the
nss_initgroups_ignoreusers alllocal option.
> Additionally it discards any local caching (nscd) and checks all
> accounts all over again - depending on monitoring frequency.
nscd only does caching for a number of lookups. The get all users lookup
(if alllocal is used) is not cached by nscd.
You can use nslcd -c to check whether the daemon is supposed to be
running. On start-up nslcd locks the pidfile and this is what nslcd -c
checks. If the process dies, the lock is cleared by the kernel so this
should be reliable.
If you want to know whether the service performs as expected, you should
probably do a lookup (e.g. getent passwd someuser) and look at the
results. The 0.9 series includes a getent.ldap command that can be used
to query nslcd directly bypassing the NSS layer (and nscd).
If you don't use nss_initgroups_ignoreusers I would be intereseted in
your configuration.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
