Bug 54530
Summary: | intermittent nss/ldap user lookups failures | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Alex Vorobiev <sasha> |
Component: | openldap | Assignee: | Jay Fenlason <fenlason> |
Status: | CLOSED CANTFIX | QA Contact: | Aaron Brown <abrown> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.1 | CC: | jfeeney |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-10-18 16:23:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
once i remove "ssl start_tls" from /etc/ldap.conf, i can no longer reproduce the problem. (by the way, i experienced the earlier problem with openssl 0.9.6-9 and 0.9.6b-9 alike. this makes me think that the problem is with either openssl, or the way that nss_ldap or openldap implement TSL or have been compiled... ok, i lied. even without the "ssh start_tls" occasional failures still happen. this one is from sendmail that's running on a dedicated mail server. it is setup to query an openldap server running on a different machine. both are running RH 7.0, openldap 2.0.7-14, nss_ldap 149-1. from /var/log/maillog: Oct 11 13:42:27 mailserver sendmail[10261]: nss_ldap: could not get LDAP result - Can't contact LDAP server Oct 11 13:42:27 mailserver sendmail[10261]: nss_ldap: could not get LDAP result - Can't contact LDAP server Oct 11 13:42:27 mailserver sendmail[10261]: f9BHHHG10261: to=richard, ctladdr=news (8/0), delay=00:26:06, mailer=local, pri=5432737, dsn=5.1.1, stat=User unknown (news is an alias, richard is a valid user). sorry about these numerous submissions to bugzilla. i hope they are helpful in resolving this. --sasha Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help. Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Closing as CANTFIX. |
From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.3-12 i686) Description of problem: Finger, sendmail, getent intermittently fail to lookup valid users via nss_ldap in openldap database. Version-Release number of selected component (if applicable): reproducible on RH 7.0, 7.1, with openldap 2.0.7-14, 2.0.11-8, and 2.0.15-2, nss_ldap 149-1, 149-4 How reproducible: Always. On the openldap server machine itself lookups (via sendmail, finger, others) failrate is approximately one in every 3-5, increasing with load ?? or the number of connections to the openldap server. Lookups from clients (remote servers hitting the same openldap server machine) fail much less frequently, approximately once every 1000 times (roughly). Steps to Reproduce: 1. use openldap (any version as described above). populate small database, around 100 total records, including users and groups. 2. use start_tls to connect clients to server (in /etc/ldap.conf) 3. use finger, getent, or observe sendmail running on the same machine as openldap Actual Results: some lookups fail. getent: the results of running for ((x=50; x--; x>0)); do > echo $x : >> test > getent passwd sasha >> test > done 49 : sasha:x:1001:1001:Alex Vorobiev:/home/sasha:/bin/bash 48 : sasha:x:1001:1001:Alex Vorobiev:/home/sasha:/bin/bash 47 : 46 : 45 : ... and so on. finger: the results of running for ((x=50; x--; x>0)) do echo $x finger sasha done 49 Login: sasha Name: Alex Vorobiev Directory: /home/sasha Shell: /bin/bash Never logged in. No mail. No Plan. 48 finger: sasha: no such user. 47 finger: sasha: no such user. 46 ...and so on. sendmail: the results of running: ... ----- The following addresses had permanent fatal errors ----- sasha (reason: 550 5.1.1 User unknown) ... Expected Results: lookups should return valid user entries/information Additional info: while trying to debug openldap (via slapd.conf or -d flag) i wasn't able to find anything meaningful or conclusive. i don't know at which point of the communication the problem occurs. i attempted to tune openldap as per its faq, to no avail. all common indexes are in place, etc.