Good evening guys, Christian PERRIER [Thu, May 27, 2010 at 07:20:46PM +0200]: > Are you still experiencing that bug? From your description, this is a > very handicapping bug and you might either have found a > workaround...or something else fixed the problem....or maybe you are > still experiencing it and are mumbling about the lack of > responsiveness you got from the Debian project on this issue....
I am indeed a bit disappointed about reaction times in Debian, as this bug causes large installations to malfunction and everybody using ldap with Debian will encounter it at some point. > Apart from all this, I'm not entirely convinced that the bug deserves > to be "severity: critical". At the minimum, it should be "serious" as > it doesn't "break other software or introduces a security hole". Well, making the whole system unusable feels into that category from my point of view. But anyway, let's not focus on such formal stuff. Getting back to Arthurs comment, Arthur de Jong [Thu, May 27, 2010 at 09:20:03PM +0200]: > On Thu, 2010-05-27 at 19:20 +0200, Christian PERRIER wrote: > > First of all, let me add a disclaimer: I am *not* the maintainer of > > libnss-ldap nor do I have much clue about LDAP auth and even that > > package. > > Let me then also add my comments (I'm also not the maintainer of > libnss-ldap but I'm the one for libnss-ldapd). > > I think you should give libnss-ldapd a try, especially if you are using > SSL/TLS or Kerberos. That package does LDAP queries in a separate > process space and has a much more maintainable code base. It is also > available in lenny and should be very stable. Will do, have had it on my radar for some time. > Anyway, going over the bugreport (and #541188) I find this a bit odd > (/etc/nsswitch.conf): > > passwd: files ldap [UNAVAIL=return] > group: files ldap [UNAVAIL=return] That was a try to remove the nasty startup problems caused by udev, which queries for non-existent system (=passwd) users and thus slows down the bootup dramatically. But to make debuggers happy, I've removed the options for a long time in production mode. > I think the expressions between brackets are only really useful between > different lookup methods. Another thing that could be causing it is > nscd. It has been known to give problems in some cases. And coming to the point: Yes, it is nscd. nscd is completly broken and should be replaced with unscd as soon as possible, also stated on http://www.nico.schottelius.org/blog/nscd-bugs/. There's a stale open bug (#513305) available for that and I think it's a real must for squeeze to integrate. To explain a bit better: * ldap queries are slow (ls -lR takes much longer using ldap for name lookups) * ldap servers here are getting requests from hundreds or even thousands of machines * Thus every machine is required to run a local cache Currently we're adding unscd from our own debian archive, but everybody with large scale installations will need to redo that and also to create a more recent package. So from my point of view you can close this bug - time is better spend on unscd. Cheers, Nico -- New PGP key: 7ED9 F7D3 6B10 81D7 0EC5 5C09 D7DC C8E4 3187 7DF0 Please resign, if you signed 9885188C or 8D0E27A4. Currently moving *.schottelius.org to http://www.nico.schottelius.org/ ...
pgpFWaKba2mm5.pgp
Description: PGP signature