<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/16/2013 12:02 PM, KodaK wrote:
<blockquote
cite="mid:CAA9J0ZGCqwDcRMFqoru2wi1-xniLpygP57jEkfWCeg5-Vscc8g@mail.gmail.com"
type="cite">
<div dir="ltr">Yet another AIX related problem:
<div><br>
</div>
<div>The AIX LDAP client is called secldapclntd (sure, they
could make it more awkward, but the budget ran out.) I'm
running into the issue detailed here:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344">http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344</a></div>
<div><br>
</div>
<div>"<span style="color:rgb(51,51,51)">If an LDAP server fails
to answer an LDAP query, </span><span
style="color:rgb(51,51,51)">secldapclntd caches the </span><span
style="color:rgb(51,51,51)">non-answered query negatively.
This may happen if the </span><span
style="color:rgb(51,51,51)">LDAP server is </span><span
style="color:rgb(51,51,51)">down for example. After the LDAP
server is back again </span><span
style="color:rgb(51,51,51)">secldapclntd </span><span
style="color:rgb(51,51,51)">will use the negative cache
entry and the application </span><span
style="color:rgb(51,51,51)">initiating the </span><span
style="color:rgb(51,51,51)">original query will still fail
until the cache entry </span><span
style="color:rgb(51,51,51)">expires."</span></div>
<div><br>
</div>
<div>IBM is working on porting the fix to our specific TL and SP
levels.</div>
<div><br>
</div>
<div>What I'm concerned with here, though, is *why* is it timing
out? I don't know what the current timeout values are (AIX
sucks, etc.)</div>
<div><br>
</div>
<div>I don't see timeout issues on my Linux boxes, which leads
me to believe that either the sssd timouts are longer or that
sssd is just more robust when dealing with timeouts.</div>
<div><br>
</div>
<div>
I believe I'm seeing similar behavior with LDAP sudo on AIX as
well, because I occasionally have to re-run sudo commands
because they initially fail (and I know I'm using the right
passwords.) However, sudo doesn't appear to have a cache (or
it handles caching better.)</div>
<div><br>
</div>
<div>Does anyone have any troubleshooting suggestions? Any
general "speed things up" suggestions on the IPA side?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>--Jason<br clear="all">
<div><br>
</div>
-- <br>
The government is going to read our mail anyway, might as well
make it tough for them. GPG Public key ID: B6A1A7C6
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Is the server FreeIPA?<br>
Can see in the server logs what is actually happening is it the
server that really takes time or there is a network connectivity
issue or FW is dropping packets?<br>
I would really start with the server side logs.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>