PDA

View Full Version : nsswitch.conf: "hosts ldap" conflicts with routing



Sve_n
06-Aug-2012, 16:16
Hi,
I have two networks, e.g. 100.10.10.0 and 200.20.20.0, linked together by a server "server", which routes between them and, at the same time is the ldap-server. I installed SLES 11 SP2 on a new machine "client" in the 200-network, and, since the server-certificates are for the 100-network, on the client put the server-100-ip (100.10.10.1) in the ldap.conf's and made the server-200-ip (200.20.20.1) the default-router. Depending on the entries of nsswitch.conf and hosts, I get following results:

1) nsswitch.conf: hosts:
passwd: files ldap
hosts: files

>getent passwd #everything works, ldap-entries are printed
>route
Ziel Router Genmask Flags Metric Ref Use Iface
default 200.20.20.1 0.0.0.0 UG 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
link-local * 255.255.0.0 U 0 0 0 eth0
200.20.20.0 * 255.255.255.0 U 0 0 0 eth0
__________________________________________________ ____________

2) nsswitch.conf: hosts:
passwd: files ldap
hosts: files ldap

>getent passwd #prints local entries, then freezes until I interrupt (I wasn't veery patient)
>route
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
^C #my interrupt, after over a minute
__________________________________________________ ____________

3) nsswitch.conf: hosts:
passwd: files ldap 200.20.20.1 server
hosts: files ldap

>getent passwd #prints local entries, then still freezes
>route
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default server 0.0.0.0 UG 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
link-local * 255.255.0.0 U 0 0 0 eth0
200.20.20.0 * 255.255.255.0 U 0 0 0 eth0

#if I add networks: ldap into the nsswitch.conf, route will freeze, where it should print the 200-network

__________________________________________________ ____________

4) nsswitch.conf: hosts:
passwd: files ldap 200.20.20.1 server
hosts: files ldap 200.20.20.5 client

>getent passwd #works again and prints all entries
>route
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default server 0.0.0.0 UG 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
link-local * 255.255.0.0 U 0 0 0 eth0
200.20.20.0 * 255.255.255.0 U 0 0 0 eth0

#now even works with networks: ldap
It seems to me, as if route and the ldapsearch would kind of recursively invoke each other, and although I can solve the problem, by writing the hosts-file, I would like to know, if I can convince route to be satisfied with knowing only the ip...

I just found out, that it suffices, to write the 200.20.20.5 into the hosts-file (without the server), to make everything work. Can someone explain that to me?
Thanks in advance, Sven

jmozdzen
07-Aug-2012, 15:23
Hi Sven,

the main problems seems to be that name lookups are made during several of the LDAP accesses, and are blocking.

In 1), name lookups are done locally (hosts: files) and missing matches don't cause any harm.
In 2), name lookups missed in the files are routed to LDAP, which somehow relies on name lookups - catch88. "getent" hangs as soon as it gets to the LDAP accesses, and "route" tries to resolve "200.20.20.1", via LDAP, and hangs.
In 3), LDAP access still hangs (hanging "getent"), but "route" can resolve"200.20.20.1" via local files, so it doesn't even get to the LDAP lookup. When you tell it to look up network names via LDAP, then you get the hang again.
In 4), LDAP access works fine and every information is delivered: adding "client" (or at least its IP address) to /etc/hosts will make according queries return immediately.

I guess that you have some dependency on the name "client" in your LDAP configuration. As long as you don't ask for LDAP back-end accesses for name lookups (or include client's address in /etc/hosts), LDAP will work fine and all services using LDAP will get what they as for.

Regards,
Jens