RSS feed

Re: Naming service daemon check is extremely chatty

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Naming service daemon check is extremely chatty

On Fri, 2014-08-15 at 01:34 -0400, Subu Ayyagari wrote:
> We are using the daemon check ( nslcd -c ) to monitor the service.
> But what we find is this is extremely chatty. It actually queries
> every account and returns success in the end.

The nslcd -c option should only check all local accounts when using the
nss_initgroups_ignoreusers alllocal option.

> Additionally it discards any local caching (nscd) and checks all
> accounts all over again - depending on monitoring frequency.

nscd only does caching for a number of lookups. The get all users lookup
(if alllocal is used) is not cached by nscd.

You can use nslcd -c to check whether the daemon is supposed to be
running. On start-up nslcd locks the pidfile and this is what nslcd -c
checks. If the process dies, the lock is cleared by the kernel so this
should be reliable.

If you want to know whether the service performs as expected, you should
probably do a lookup (e.g. getent passwd someuser) and look at the
results. The 0.9 series includes a getent.ldap command that can be used
to query nslcd directly bypassing the NSS layer (and nscd).

If you don't use nss_initgroups_ignoreusers I would be intereseted in
your configuration.

-- arthur - - --
To unsubscribe send an email to or see