'[pamldap] Problem with large-ish groups'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Problem with large-ish groups
From:       Chris Strasburg <cstras () ameslab ! gov>
Date:       2003-01-31 17:21:56
[Download RAW message or body]

I've run into a problem with groups having member counts > ~50 users.  When I 
do an id -Gn <username> the smaller groups are id'd correctly, but the larger 
ones come back with:

id: cannot find name for group ID <number>

A tcpdump of the traffic shows the ldap search returning the group including 
its gid, member list, and cn.  After turning on debugging output in nss_ldap, 
the search appears to complete successfully, but the parser returns a -2 
(TRYAGAIN).  I noticed that this can be caused by using too small a buffer to 
store the entry, right?  The initial buffer size is 1k and I haven't seen any 
indication that the lookup is tried again with a larger buffer size.  The 
only other thing I have considered is a timeout value set too small.  It 
would surprise me, however, if groups of this size would trip any reasonable 
timeout check.

Maybe I'm missing something obvious, but any help would be appreciated!

Here are my versions and some debugging output.  If more information is 
desired (ie. ldap.conf, tcpdump output) please let me know!

OS: RedHat Linux 8.0
nss_ldap rpm version: nss_ldap-198-3
LDAP backend: NDS e-dir 8.5
openldap libs: 2.0.25-1

Debugging output for unsuccessful group lookup:
-----
nss_ldap: ==> _nss_ldap_getbyname (with buffer length 1024)
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectclass=posixGroup)(gidNumber=1082))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: ==> _nss_ldap_dn2uid
8>----- snip: many of these ------<8
nss_ldap: <== _nss_ldap_dn2uid
nss_ldap: :== do_parse_s: Got -2 from parser
nss_ldap: <== do_parse_s
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname
id: cannot find name for group ID 1082
-----
Debugging output for successful group lookup:
-----
ss_ldap: ==> _nss_ldap_getbyname (with buffer length 1024)
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectclass=posixGroup)(gidNumber=1078))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: ==> _nss_ldap_dn2uid
nss_ldap: <== _nss_ldap_dn2uid
nss_ldap: ==> _nss_ldap_dn2uid
nss_ldap: <== _nss_ldap_dn2uid
nss_ldap: ==> _nss_ldap_dn2uid
nss_ldap: <== _nss_ldap_dn2uid
nss_ldap: :== do_parse_s: Got 1 from parser
nss_ldap: <== do_parse_s
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname (status = 1)
-----
Chris Strasburg
Ames Laboratory, US DOE
cstras@ameslab.gov


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic