Re: [nssldap] lookup delay using nss_ldap with Active Directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] lookup delay using nss_ldap with Active Directory
- From: Raphaël RIGNIER <rignier [at] cpe-chartreux.com>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] lookup delay using nss_ldap with Active Directory
- Date: Mon, 17 May 2010 16:31:52 +0200
Hi Brett, Thanks again for your suggestions. I should have thought
to turn on
debugging sooner! I was looking into MTU and reading the ChangeLogs
and trying
some other setting modifications, all to no avail.
2. I vaguely remember having to enable or disable referrals in LDAP
client
/etc/ldap.conf (I can't remember which, I'll check when I get home)
I'm not very familiar with LDAP referrals, but turning them off has
fixed my
problems!
When I turned on debugging, I saw a bunch of these messages being
displayed when
referrals were on (which they were by default).
Unable to chase referral
"ldap://ForestDnsZones.production.domain.com/DC=ForestDnsZones,DC=production,DC=domain,DC=com"
(-1: Can't contact LDAP server)
Unable to chase referral
"ldap://DomainDnsZones.production.domain.com/DC=DomainDnsZones,DC=production,DC=domain,DC=com"
(-1: Can't contact LDAP server)
Turning off referrals seems to make everything work as expected.
I'll keep an
eye on the CPU usage levels on the servers and test nscd if I think
caching
becomes necessary.
Thanks everyone!
--
Jonathan
---------------------------------------------------------------------------------------
Orange vous informe que cet e-mail a ete controle par l'anti-virus
mail. Aucun virus connu a ce jour par nos services n'a ete detecte.
Hello, like you , I use AD (2k3 R2), nss_ldap, and pam_krb5,samba for
my file servers hosting home directories and roaming profiles.
Our school environement is quite big : root Ad forest with 4 child
domains and sites, and about 3000 user objects and 500 computer objects.
It was a way to have same files for users on windows workstation via
samba or Linux workstations via NFS.
Unix attributes (uids,gids,home directories) are stored directly in AD
(possible since R2) and readable by nss_ldap.
For the binding DN, I use a pre windows 2000 member user who can read
all Ad's attributes.
The tip is to use AD Global's catalog on port 3268 instead of domain
LDAP via port 389. GC is a "flattened" ldap view of the forest which
gets rid of cross reference membership
http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx.
- I use the "member" attribute for mapping instead of "memberof", only
primary group is necessary. I have also manually added
audio,plugdev,floppy.... groups in AD with corresponding gid for our
debian/ubuntu workstations, and directly added concerned users in
those ones.
Some missing attributes in GC could be added via schemas config msc
but I don't remeber if it is necessary for default use.
This solution works for years now, with nscd, and very happy with it.
There were some issue without nscd.
The important thing is also time synchro because of kerberos. ntpd
seems not compatible with Domain controlers so I used ntpdate via cron
instead.
"id samaccountname" is responsive "ls -l" also, a bit quicker with nscd.
Raphaël
- Re: [nssldap] lookup delay using nss_ldap with Active Directory, (continued)