2

On a debian 8 server which uses LDAP for user authentification (slapd, libpam-ldapd and nslcd are installed) I get following message in syslog, multiple times, each time the system needs to lookup user information in LDAP (like typing id [username], or setting permissions for a folder, etc.)

slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16

This control is apparently the deref-control. I was not able to find any information on it, except that it is useful when storing the LDAP database on multiple servers. This is never the case on my machines. I never consciously activated that control anywhere.

This makes the system extremely slow in certain circumstances, e.g. when the user-import script is running and importing a big number of users.

This message can appear about hundred times per second, when user import is running. When typing "id [username]" in the terminal just once, this message appears about 10 times in syslog.

Further investigation has revealed, that nslcd is probably linked to this behavior. When running nslcd in debug mode, following options can be seen being used for connection to the LDAP server:

nslcd: [e8944a] <group=3000> DEBUG: ldap_initialize(ldapi:///localhost)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_rebind_proc()
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e8944a] <group=3000> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e8944a] <group=3000> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldapi:///localhost")

So it seems to disable DEREF there, but my slapd configuration has no information about DEREF at all, maybe that is what is causing the problem?

How can the multiple messages about unrecognized controls be avoided?

Javaguy
  • 33
  • 1
  • 6

1 Answers1

2

ldap_set_option(LDAP_OPT_DEREF,0)

This is an option for dereferencing an alias during processing a search operation. It's good that it's disabled (by default). But this is not relevant here.

As you already found out "1.3.6.1.4.1.4203.666.5.16" is the OID of the so-called LDAP Dereference Control. This control can be used in search requests to let the server return data from entries referenced by an entry found by the search.

Depending on your data enabling overlay slapo-deref in the database can help speeding things up, but leads to data being transferred multiple times (e.g. in case user is member of many groups).

It seems that this can only be turned off when compiling nss-pam-ldapd (aka nslcd).

But IMHO that's not your main performance issue. You should consider to use nscd(name service caching demon). Otherwise each NSS request to nslcd will result in a LDAP search request sent remotely.

You might also consider using sssd because it has an internal caching architecture which has pros and cons. YMMV.

Community
  • 1
  • 1
Michael Ströder
  • 1,248
  • 8
  • 12