Ubuntu
libnss-ldap package

Bug #253937
Comment #14

Comment 14 for bug 253937

Revision history for this message

Etienne Goyer (etienne-goyer-outlands) wrote on 2010-02-04: Re: [Bug 253937] Re: Local login fails without LDAP server

#14

Derek Simkowiak wrote:
> In my opinion this is an important bug. One of the major reasons for
> using LDAP+nss is for high availability in corporate networks... and
> this bug breaks that completely.

You are starting with a wrong assumption: using nss_ldap will not
provide you with any type of high-availability. In fact, it may have
the opposite effect, as authentication becomes dependent on the
availability of network and LDAP directory service.

That being said, the bug is not really one; it is more of an
architectural shortcoming. And it is not specific to Ubuntu: any Unix
(including pretty much every other Linux distributions) that implement
NSS as stateless library is bound to have the same problem. NSS was
written as an abstraction layer that assumed the database, traditionally
file such as /etc/passwd, are always available and cheap to query.
These assumptions break down when the database had to be queried over
the network.

There is no proper fix, outside of ripping off NSS entirely for
something new (which is not practical, as you can guess). All you can
do is to mitigate the problem. Tweaking the various limit in
/etc/ldap.conf is useless; even very short timeouts do add up. nscd,
which is buggy as hell anyway, will block the second it has to query the
network database because it does not keep state in the first place.

The only solution that can provide some relief is to have a daemon sit
between the library and the network database to cache network queries
and to keep state of the network database. And continue to return
results without blocking when it is not, unlike nscd. Solaris had such
a thing for quite some time, with good results. In Ubuntu, the
libnss-ldapd and sssd package, and the nssov slapd overlay, provide just
that. I have not experienced with any of them, so I cannot make an
enlightened recommendation, but they all tries to address exactly the
problem being discussed here. I suggest you investigate them, and
reports bug you find along the way.

--
Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor - LPIC-3

~= Ubuntu: Linux for Human Beings =~

Derek Simkowiak wrote:
> In my opinion this is an important bug.  One of the major reasons for
> using LDAP+nss is for high availability in corporate networks... and
> this bug breaks that completely.

You are starting with a wrong assumption: using nss_ldap will not
provide you with any type of high-availability.  In fact, it may have
the opposite effect, as authentication becomes dependent on the
availability of network and LDAP directory service.

That being said, the bug is not really one; it is more of an
architectural shortcoming.  And it is not specific to Ubuntu: any Unix
(including pretty much every other Linux distributions) that implement
NSS as stateless library is bound to have the same problem.  NSS was
written as an abstraction layer that assumed the database, traditionally
file such as /etc/passwd, are always available and cheap to query.
These assumptions break down when the database had to be queried over
the network.

There is no proper fix, outside of ripping off NSS entirely for
something new (which is not practical, as you can guess).  All you can
do is to mitigate the problem.  Tweaking the various limit in
/etc/ldap.conf is useless; even very short timeouts do add up.  nscd,
which is buggy as hell anyway, will block the second it has to query the
network database because it does not keep state in the first place.

The only solution that can provide some relief is to have a daemon sit
between the library and the network database to cache network queries
and to keep state of the network database.  And continue to return
results without blocking when it is not, unlike nscd.  Solaris had such
a thing for quite some time, with good results.  In Ubuntu, the
libnss-ldapd and sssd package, and the nssov slapd overlay, provide just
that.  I have not experienced with any of them, so I cannot make an
enlightened recommendation, but they all tries to address exactly the
problem being discussed here.  I suggest you investigate them, and
reports bug you find along the way.

-- 
Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor   -    LPIC-3

~= Ubuntu: Linux for Human Beings =~

Ubuntulibnss-ldap package

Comment 14 for bug 253937

Ubuntu
libnss-ldap package