486321 – nss_ldap compiled with --enable-paged-results breaks 'getent passwd'

Bug 486321 - nss_ldap compiled with --enable-paged-results breaks 'getent passwd'

Summary: nss_ldap compiled with --enable-paged-results breaks 'getent passwd'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss_ldap
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-19 11:31 UTC by Juanjo Villaplana
Modified:	2009-09-02 11:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	253-18.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-02 11:49:30 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:1379	0	normal	SHIPPED_LIVE	nss_ldap bug fix update	2009-09-01 11:47:27 UTC

Description Juanjo Villaplana 2009-02-19 11:31:50 UTC

Description of problem:

We have setup /etc/nsswitch.conf and /etc/ldap.conf to get users from our ldap server. Since we upgraded to nss_ldap-253-17.el5, 'getent passwd' is truncated to 1041 lines (41 local users + 1000 ldap users).


Version-Release number of selected component (if applicable):

nss_ldap-253-17.el5


How reproducible:

Always

Steps to Reproduce:
1. getent passwd | wc -l
2. upgrade to nss_ldap-253-17.el5
3. getent passwd | wc -l

  
Actual results:

40447 lines before upgrading, and 1041 after upgrading.


Expected results:

40447 lines before and after upgrading.


Additional info:

Downgrading to nss_ldap-253-13.el5_2.1 gives again 40447 lines.

Disabling --enable-paged-results on nss_ldap-253-17.el5 also makes 'getent passwd | wc -l' return the expected result.

Comment 1 Nalin Dahyabhai 2009-02-19 22:52:32 UTC

Does setting 'nss_paged_results no' in /etc/ldap.conf restore the correct behavior?

Comment 2 Juanjo Villaplana 2009-02-20 07:30:55 UTC

Yes it does.

What is the intended use of nss_paged_results?

Comment 3 Nalin Dahyabhai 2009-02-20 16:44:23 UTC

It adds the paged results control to search requests.  Against certain server implementations (AD in particular), this is the only way to get the complete set of matching entries for a search if the result set would exceed a server-enforced sizelimit.

The server then returns groups of results of up to the size specified as the "pagesize" configuration setting.  But it should never just stop retrieving results.

a) I'm thinking we're going to want to change that default back, so that it
   would need to be explicitly enabled in the configuration.

b) For reference, what type of server are you connecting to?

Comment 4 Juanjo Villaplana 2009-02-20 19:18:45 UTC

Its an OpenLDAP server running on a RHEL 4.7 server (openldap-servers-2.2.13-12.el4).

And may be this setting is related to this client/server behaviour:

    # Maximum number of entries to return from a search operation
    sizelimit 50000

Comment 6 Nalin Dahyabhai 2009-05-18 21:29:43 UTC

Reverting use-paged-results-by-default behavior in 253-18.el5 and later.

Comment 10 errata-xmlrpc 2009-09-02 11:49:30 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1379.html

Note You need to log in before you can comment on or make changes to this bug.