Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Raphaël RIGNIER <rignier [at] cpe-chartreux.com>]

> > Hi Brett, Thanks again for your suggestions.  I should have thought 
> > to turn on
> > debugging sooner!  I was looking into MTU and reading the ChangeLogs 
> > and trying
> > some other setting modifications, all to no avail.
> >
> > > 2. I vaguely remember having to enable or disable referrals in LDAP 
> > > client
> > > /etc/ldap.conf (I can't remember which, I'll check when I get home)
> >
> > I'm not very familiar with LDAP referrals, but turning them off has 
> > fixed my
> > problems!
> >
> > When I turned on debugging, I saw a bunch of these messages being 
> > displayed when
> > referrals were on (which they were by default).
> >
> > Unable to chase referral
> > "ldap://ForestDnsZones.production.domain.com/DC=ForestDnsZones,DC=production,DC=domain,DC=com" 
> >
> > (-1: Can't contact LDAP server)
> > Unable to chase referral
> > "ldap://DomainDnsZones.production.domain.com/DC=DomainDnsZones,DC=production,DC=domain,DC=com" 
> >
> > (-1: Can't contact LDAP server)
> >
> > Turning off referrals seems to make everything work as expected.  
> > I'll keep an
> > eye on the CPU usage levels on the servers and test nscd if I think 
> > caching
> > becomes necessary.
> >
> > Thanks everyone!
> > --
> > Jonathan
> > --------------------------------------------------------------------------------------- 
> >
> > Orange vous informe que cet  e-mail a ete controle par l'anti-virus 
> > mail. Aucun virus connu a ce jour par nos services n'a ete detecte.
> Hello, like you , I use AD (2k3 R2), nss_ldap, and pam_krb5,samba for 
> my file servers hosting home directories and roaming profiles.
> Our school environement is quite big : root Ad forest with 4 child 
> domains and sites, and about 3000 user objects and 500 computer objects.
> It was a way to have same files for users on windows workstation via 
> samba or Linux workstations via NFS.
> Unix attributes (uids,gids,home directories) are stored directly in AD 
> (possible since R2) and readable by nss_ldap.
> For the binding DN, I use a pre windows 2000 member user who can read 
> all Ad's attributes.
>
> The tip is to use AD Global's catalog on port 3268 instead of domain 
> LDAP via port 389. GC is a "flattened" ldap view of the forest which 
> gets rid of cross reference membership 
> http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx.
>
> - I use the "member" attribute for mapping instead of "memberof", only 
> primary group is necessary. I have also manually added 
> audio,plugdev,floppy.... groups in AD with corresponding gid for our 
> debian/ubuntu workstations, and directly added concerned users in 
> those ones.
>
> Some missing attributes in GC could be added via schemas config msc 
> but I don't remeber if it is necessary for default use.
>
> This solution works for years now, with nscd, and very happy with it. 
> There were some issue without nscd.
> The important thing is also time synchro because of kerberos. ntpd 
> seems not compatible with Domain controlers so I used ntpdate via cron 
> instead.
>
> "id samaccountname" is responsive "ls -l" also, a bit quicker with nscd.
>
> Raphaël