Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2577 bytes --]

On Mon, Oct 22, 2007 at 09:56:59PM +0200, Bertram Scharpf wrote:
> Hi,
> 
> Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann:
> > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote:
> > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow
> > > information for ldap via nss_ldap.
> > 
> > Yes, it does. Therefore, use something like the following line in
> > /etc/ldap.conf:
> > 
> >   nss_initgroups_ignoreusers root,ldap,cron,portage 
> 
> Ah, I did not know this yet. I see the problem in whole is
> more complicated.
> 
> Even though Alec enters caveats I will use the ignore
> solution for now. What was troubling me was that I didn't
> know what was going on at all.
I was busy with other things, so I didn't get to this.

It's not unique to Gentoo, but rather it is more apparent on Gentoo
because of how users do things. 

The RHEL documentation on LDAP server (mind you, I last read it before
they did their own Fedora Directory Server) had big warnings about not
using nss_ldap on the machine that housed your slapd.

Secondly, the glibc NSS lookup for a numeric UID has a nasty bit in it:
for S in NSS-sources:
	lookup for U in the numeric column
	if found, return.
	lookup for U in the key column (pw_name)
	if found, return.

Doing the U is member of groups lookup is even worse, since it doesn't
break out of the look as soon as possible (hence why the
initgroups_ignoreusers setting is important).

Now if you are doing a lookup for a non-existent numeric UID, this means
that you hit the files backend twice, and the LDAP backend twice.

If slapd is not available (either because it is local and not started
yet, OR because networking is not available yet), the LDAP lookups will
time out. The Gentoo stock /etc/ldap.conf that powers nss_ldap has
settings to try to minimize the cost of the timeouts, that uses a
timeout of 15 seconds per lookup.

I discussed this previously with Uberlord, I can't recall the bug #.
The net of it is that _every_ UID and GID used (and yes, even doing an
ls can hit them!) must be present in the core system data, or it the
timeout penalty must be paid for each lookup.

It's easy to fall foul of this. Somewhere around, there was a NSS module
that just logged every lookup instead of performing them, and it is
astounding how many lookups take place during boot.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 321 bytes --]