Bug 54530

Summary: intermittent nss/ldap user lookups failures
Product: [Retired] Red Hat Linux Reporter: Alex Vorobiev <sasha>
Component: openldapAssignee: Jay Fenlason <fenlason>
Status: CLOSED CANTFIX QA Contact: Aaron Brown <abrown>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: jfeeney
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-18 16:23:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Vorobiev 2001-10-11 14:54:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.3-12 i686)

Description of problem:
Finger, sendmail, getent intermittently fail to lookup valid users via
nss_ldap in openldap database.

Version-Release number of selected component (if applicable):
reproducible on RH 7.0, 7.1, with openldap 2.0.7-14, 2.0.11-8,
and 2.0.15-2, nss_ldap 149-1, 149-4


How reproducible:
Always.  On the openldap server machine itself lookups (via sendmail,
finger, others)
failrate is approximately one in every 3-5, increasing with load ?? or the
number of connections to the openldap server.  Lookups from clients (remote
servers hitting the same openldap server machine) fail much less
frequently,
approximately once every 1000 times (roughly).

Steps to Reproduce:
1.  use openldap (any version as described above).  populate small
database, around
100 total records, including users and groups.
2.  use start_tls to connect clients to server (in /etc/ldap.conf)
3.  use finger, getent, or observe sendmail running on the same machine as
openldap
	

Actual Results:  some lookups fail.

getent: the results of running  

for ((x=50; x--; x>0)); do                                  
> echo $x : >> test
> getent passwd sasha >> test
> done

49 :
sasha:x:1001:1001:Alex Vorobiev:/home/sasha:/bin/bash
48 :
sasha:x:1001:1001:Alex Vorobiev:/home/sasha:/bin/bash
47 :
46 :
45 :
... and so on.


finger: the results of running
for ((x=50; x--; x>0))
	do echo $x
	finger sasha
	done

49
Login: sasha                            Name: Alex Vorobiev
Directory: /home/sasha                  Shell: /bin/bash
Never logged in.
No mail.
No Plan.
48
finger: sasha: no such user.
47
finger: sasha: no such user.
46

...and so on.

sendmail: the results of running:

...   ----- The following addresses had permanent fatal errors -----
sasha
    (reason: 550 5.1.1 User unknown)
...


Expected Results:  lookups should return valid user entries/information

Additional info:
while trying to debug openldap (via slapd.conf or -d flag) i wasn't able to
find anything
meaningful or conclusive.  i don't know at which point of the communication
the problem occurs.  i attempted to tune openldap as per its faq, to no
avail.  all common indexes are in place, etc.

Comment 1 Alex Vorobiev 2001-10-11 17:19:14 UTC
once i remove "ssl start_tls" from /etc/ldap.conf, i can no longer reproduce the
problem.  (by the way, i experienced the earlier problem with openssl 0.9.6-9
and 0.9.6b-9 alike.

this makes me think that the problem is with either openssl, or the way that
nss_ldap or openldap implement TSL or have been compiled...

Comment 2 Alex Vorobiev 2001-10-11 18:00:09 UTC
ok, i lied.  even without the "ssh start_tls" occasional failures still happen. 
this one is  from sendmail that's running on a dedicated mail server.  it is 
setup to query an openldap server running on a different machine.  both are 
running RH 7.0, openldap 2.0.7-14, nss_ldap 149-1.

from /var/log/maillog:
Oct 11 13:42:27 mailserver sendmail[10261]: nss_ldap: could not get LDAP result
- Can't contact LDAP server
Oct 11 13:42:27 mailserver sendmail[10261]: nss_ldap: could not get LDAP result
- Can't contact LDAP server
Oct 11 13:42:27 mailserver sendmail[10261]: f9BHHHG10261: to=richard,
ctladdr=news (8/0), delay=00:26:06, mailer=local, pri=5432737, dsn=5.1.1,
stat=User unknown

(news is an alias, richard is a valid user).

sorry about these numerous submissions to bugzilla.  i hope they are helpful in 
resolving this.

--sasha

Comment 3 Bill Nottingham 2006-08-07 19:00:33 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.

Comment 4 Bill Nottingham 2006-10-18 16:23:44 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.