This discussion is archived
5 Replies Latest reply: May 16, 2012 10:28 AM by Marco Milo RSS

Linux client not returning all entries from LDAP

935868 Newbie
Currently Being Moderated
We have Solaris and Linux systems using ODS 11.1.1.5.0 for login authentication. The Solaris clients see all the users with no problems, but the Linux systems are only seeing 2161 entries. I have SizeLimit set to 5000 and LookthroughLimit set to 30000 in ODS. There are VLV indexes created and Solaris is using them. When I do a getent passwd on Solaris I see this in the ODS logs :

[08/May/2012:13:32:53 -0400] conn=7 op=9133 msgId=9134 - SRCH base="ou=people,o=tsg,o=ge.com" scope=2 filter="(&(tsgunixstatus=A)(|(tsgservergroup=USERS)(tsgservergroup=nec_dev)))" attrs="cn uid uidNumber gidNumber gecos description tsgunixhomedirectory tsgunixloginshell"
[08/May/2012:13:32:53 -0400] conn=7 op=9133 msgId=9134 - SORT cn uid
[08/May/2012:13:32:53 -0400] conn=7 op=9133 msgId=9134 - VLV 0:999:0:0 1:5857 (0)
[08/May/2012:13:32:55 -0400] conn=7 op=9133 msgId=9134 - RESULT err=0 tag=101 nentries=1000 etime=2

etc, until all the entries are returned. On Linux, the same getent passwd gets this in the ODS logs :

[08/May/2012:13:12:19 -0400] conn=8189 op=1 msgId=2 - SRCH base="ou=people,o=tsg,o=ge.com" scope=2 filter="(&(objectClass=tsgposixaccount)(&(tsgunixstatus=A)(|(tsgservergroup=USERS)(tsgservergroup=nec_dev))))" attrs="uid userPassword uidNumber gidNumber cn tsglinuxhomedirectory tsglinuxloginshell gecos description objectClass"
[08/May/2012:13:12:26 -0400] conn=8189 op=1 msgId=2 - RESULT err=11 tag=101 nentries=2161 etime=7 notes=U
[08/May/2012:13:12:26 -0400] conn=8189 op=2 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0

I see that Linux adds an extra (objectClass=tsgposixaccount) to the search filter, and I added VLV indexes for linux to match what is shown in the logs for the filter. The only piece I was not sure of was the Sort for the linux VLV, I used cn uid as Solaris uses.

Is there something I need to do to get the VLV's to work with Linux clients? I do not want to set my SizeLimit or LookthroughLimit to unlimited if I do not have to. The /etc/ldap.conf for linux are pretty standard. I did add a pagesize 1000 and nss_paged_results yes but neither was any help.

Thanks,

Jay
  • 1. Re: Linux client not returning all entries from LDAP
    Marco Milo Journeyer
    Currently Being Moderated
    Hi Jay,
    just looking at the access log, the output of the first search (the one performed by the Solaris client) basically queries/handles the first 1000 records, whereas the second search (issued by the linux client) is getting far more results even though the search filter in theory is more restrictive (having a logical AND plus: &(objectClass=tsgposixaccount) )

    Did you by chance implemented the nsslapd-search-tune parameter in the dse.ldif, activating bits 8 and 16? We don't see the 'notes=F' that is generally applied when filters are skipped, but it could be due to the fact that we already have the 'notes=U' for the unindexed search on (presumably: objectClass=tsgposixaccount). And in the end, the fact that one of the components of the filter is unindexed could lead to have in the result set also entries not matching the search filter.

    HTH,
    marco
  • 2. Re: Linux client not returning all entries from LDAP
    935868 Newbie
    Currently Being Moderated
    No - I have not implemented nsslapd-search-tune on any of the directory servers. The only real change I have made was adding a second VLV to handle linux systems. It seems that in Solaris, with the NS_LDAP_SERVICE_SEARCH_DESC set to (&(tsgunixstatus=A)(|(tsgservergroup=USERS)(tsgservergroup=ec_prod))) for a filter that that is the filter that it uses in the search. Linux, on the other hand, tags an additional &(objectclass=tsgposixaccount) on to the front of the filter, so I added a second VLV to match that.

    Now the one thing that I am not sure about on the Linux side is what to set the vlvSort to in the VLV index. I set it to the same as solaris uses, cn uid, but I never could find any documentation to see if this was correct.
  • 3. Re: Linux client not returning all entries from LDAP
    841083 Newbie
    Currently Being Moderated
    Since the filters are different, you can't have a single VLV index match both requests.
    The filter used to construct the VLV index HAS to match the request filter for the VLV index to be used (base has to match too - does in this case).

    Yu either need to modify the search filter coming from Linux or create a second VLV index using the Linux filter.
  • 4. Re: Linux client not returning all entries from LDAP
    935868 Newbie
    Currently Being Moderated
    I did create a separate Linux filter. It matches to the filter that I see in the access log. Still does not work.
  • 5. Re: Linux client not returning all entries from LDAP
    Marco Milo Journeyer
    Currently Being Moderated
    What happens if you change the linux query or just run an ldapsearch command with the following filter:

    filter="(&(tsgunixstatus=A)(|(tsgservergroup=USERS)(tsgservergroup=nec_dev)))" attrs="uid userPassword uidNumber gidNumber cn tsglinuxhomedirectory tsglinuxloginshell gecos description objectClass"

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points