Putting this back on list since it may be relevant. On 24 February 2011 15:16, Dimitri Maziuk <dmaz...@bmrb.wisc.edu> wrote: > On 2/24/2011 1:55 AM, Brett Delle Grazie wrote: >> >> Hi, > >> Timeouts (connect, bind and retry count) can also be specified in >> ldap.conf. >> Can you use a caching daemon (nscd or preferably nslcd) to avoid your ls >> -l >> problem? > > Yes and yes. However, > a) you can't set timeouts below tcp timeouts (well, you can, but it doesn't > make sense), and the latter are set system-wide. Reducing them will affect > every tcp/ip application, which may or may not cause problems. > b) The problem with cache is consistency. It works great when nothing ever > changes, when e.g. someone changes their password, the caches have to be > invalidated all over the place. Which is not how it works. You can reduce > retention intervals, but then you're back to square 1.
I don't think you can get around this without caching of some sort - NSCD / NSLCD both have Time To Live (TTL) values for positive and negative results. 1) I cache only group and passwd information (i.e. user IDs, group IDs), never shadow or hosts (see below)/ 2) I purposefully disable permanent caching (in memory only, restart clears cache). 3) TTL for positive results I set to 5 minutes, negative to 1 minute YMMV. This solution means you're at most 5 minutes away from being able to login with a newly created user. While at the same time reducing network traffic and load on LDAP directory. For DNS, I'd consider a local caching resolver that correctly honours TTLs. > > Irix and solaris come with nscd enabled by default (on irix it's called > something else). On both systems I had to manually restart nscd after a dns > change (record updated or deleted), a password change, locking user account, > etc., every time. As I indicated - I disable the 'hosts' cache for this very reason. DNS is one of those things you don't want local caching without properly honouring TTL values - and NSCD is notorious for bugs / issues / problems with its hosts and shadow caching capabilities. Admittedly ... things should have improved with more recent versions but I haven't been tempted to check. > > We had problems ("shell freezes") with one-server openldap setup after > initial ldap migration. 2nd server didn't help, but switching to > active/passive "R1" cluster did. For roughly the same amount of setup as 2 > servers with syncrepl and fine-tuning tcp parameters. Most likely just caching passwd / group with low fixed TTL values (5 min +ve, 1min -ve) would resolve this. Good luck. > > Dima > -- Best Regards, Brett Delle Grazie _______________________________________________ Linux-HA mailing list Linux-HA@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems