Re: [nssldap] lookup delay using nss_ldap with Active Directory

["Douglas E. Engert" <deengert [at] anl.gov>]

Prentice Bisbal wrote:
> Klaus Steinberger wrote:
> > Hi Jonathan,
> >
> > > > Are you also using nscd? We have run into issues with nscd timing out,
> > > > then
> > > > the command like id will try the ldapsearch itself.
> > > No, nscd is not being used anywhere in my environment, at least as far
> > > as I can
> > > tell:
> > >
> > > $ /etc/init.d/nscd status
> > > nscd is stopped
> > You should definitly give nscd a try. Caching is essential. It makes a big
> > difference.
>
> I disagree. Caching is only necessary when your server can't keep up
> with the workload, which will happen in large environments, or with slow
> servers.

I agree that caching is essential and that ncsd has problems. If you don't do
caching, every ls -l command will be doing ldap searches to map a uidNumber
to a name. In addition to the client overhead the servers could get swamped
as well.


> nscd is not a very reliable piece of code. From my own experience, when
> a server goes down, nscd won't always failover to another server
> properly. Turning of nscd  has fixed this problem in the past. I also
> had a couple of other problems where entire system were rendered useless
> because nscd locked up, preventing anyone other than root from logging in.

I also agree that nscd has some issues and the authors have been accepting
bug reports. One issue was with using too many sockets, which was basically
caused by the nss-ldap code. See the thread:
"[nssldap] libnss_ldap leaks memory - causes nscd to grow" March. 2010

> But don't take just my word for it. nscd is so unreliable, the
> developers saw the need to add the "paranoia"  and "restart" features.
> > From the nscd.conf man page:
>
> paranoia <yes|no>
>     Enabling paranoia mode causes nscd to  restart itself periodically.
>
> restart-interval time
>     Sets the restart interval to time seconds if periodic restart is
> enabled by enabling paranoia mode.
>
> Any well-behaved piece of code wouldn't need such features.

True, but in defense, nscd ends up using many other libraries any one
of which could cause a problem: libnss-*, OpenLDAP, GnuTLS, OpenSSL,
Kerberos, Sasl... Restarting is a way to clean up any mess from any of these
libs too.

> Now for a disclaimer: I do run nscd myself, because it's a good
> practice. However, when otherwise healthy systems lock up because of one
>  basic daemon, or failover to another server doesn't work as advertised,
> it can be very frustrating. Where I work, we are considering turning of
> nscd on all of our systems due to a recent series of problems that were
> all traced back to nscd.

Sounds familiar... but with tuning, and a cron job to restart nscd things
are much better.

> > > Is it possible that it is an indexing issue with Active Directory? Have
> > > other people had to make modifications to the Active Directory Schema to
> > > index additional attributes, such as "uid", "member" or "objectclass"?
> > An index on uid, member, uidNumber, gidNumber would help.
> >
> > Sincerly,
> > Klaus

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444