[Date Prev][Date Next] [Chronological] [Thread] [Top]

intermittent nss/ldap user lookup failures on RedHat 7.0, 7.1

i originally reported this problem a couple of days ago as a sendmail/ldap

we experience intermittent failures with user lookups via nss/ldap.
we observe the same problems with RedHat 7.0 or 7.1, openldap-2.0.7 or
2.0.8, and nss_ldap 149 (various releases).

our database is small, only about 100 entries (including users and
groups).  we use "start_tls" between clients and server for our user
authentication.  we created and maintain common indexes, and disabled
logging to avoid the extra disk write overhead.  our server is a PIII
with 1/2 gig of ram running nothing else but openldap.

curiously (i suppose there is a good explanation), the failures are much
more frequent on the ldap server machine itself.  through trial and error
we found that running most other services on the ldap server machine is
impossible.  sendmail rejects messages, finger fails every third time,
and so on.  we have had, however, better luck with machines that are not
running ldap themselves, but perform remote lookups.  we still experience
infrequent failures, but now on the order of 1 in several thousand.

this is still, of course, unacceptable.  surprisingly, i've been unable
to find any references to similar problems anywhere on the net, including
the openldap mailing lists and issue tracking, redhat bugzilla, etc...
with the possible exception of one recent article in securityfocus:
which mentions nss failures with openldap.

any suggestions as to how to tune the ldap server and/or the os further
would be appreciated (we went through the FAQ tuning instructions).
certainly, any workarounds or specific debugging pointers are much

as a side question: while testing 2.0.8 on redhat, we found that,
unlike with 2.0.7, we were no longer able to update user passwords via
"passwd", it would return "Authentication token manipulation error".
at the same time, we were no longer able to log in to accounts created
with ldapadd (which produces a shorter MD5 hash than ldapmodify)...
has anyone had this problem?


sasha, sashaATmathforum.org

----- Forwarded message  -----

>From: Alex Vorobiev <sasha@mathforum.org>
>Subject: ldap/sendmail: 550 5.1.1 ... user unknown intermittent failures
> redhat 7.0
> sendmail-8.11.6
> using ldap (openldap 2.0.7) for user information
> we experience intermittent failures with delivering mail to existing
> accounts.  i can't seem to establish any kind of pattern.  most
> failures are for local mail, meaning that addresses are never fully
> qualified (such as bob, jim, etc.).
> others are failures to deliver mail that comes from the outside.
> all accounts are legit, all exist, the spelling and the case of
> addresses are correct.  the problems are very inconsistent.
> i don't see any errors in the ldap log, nor the system log.  i ran a
> stress-test, mailing dozens of messages to a user account.  one out of
> thirty or so would fail with the "550 5.1.1 ... user uknown" error
> message.  i am guessing that under a certain load (volume of mail)
> ldap lookup queries simply fail.
> has anyone experienced this problem?  is there a work-around, sendmail
> or ldap tuning that would resolve this problem?
> any help would be appreciated,
> thanks,
> --sasha sashaATmathforum.org

----- End forwarded message -----