On Tue, 2012-08-21 at 13:17 +0200, Arturo Borrero wrote: > Aug 21 13:05:08 cf01 nslcd[3169]: [7a3ca9] <passwd=3816> error writing to > client: Broken pipe
This happens when a client sends a request to nslcd but doesn't read the
response completely. A case where this can happen in normal operations
is with huge groups which cannot be read in one go.
> Here is a debug information:
>
> nslcd: [8b4567] DEBUG: connection from pid=18419 uid=0 gid=0
> nslcd: [8b4567] <passwd=3816> DEBUG:
> myldap_search(base="ou=example,ou=users,ou=cuentas,dc=example,dc=es",
> filter="(&(objectClass=posixAccount)(uidNumber=3816))")
> nslcd: [8b4567] <passwd=3816> DEBUG: ldap_initialize(ldaps://ldap.example.es/)
> nslcd: [8b4567] <passwd=3816> DEBUG:
> ldap_simple_bind_s("uid=example,ou=cuentas,dc=example,dc=es","***")
> (uri="ldaps://ldap.example.es/")
> nslcd: [8b4567] <passwd=3816> DEBUG: ldap_result():
> uid=mmoreda,ou=example,ou=users,ou=cuentas,dc=example,dc=es
> nslcd: [8b4567] <passwd=3816> DEBUG: ldap_result():
> uid=saul.dominguez,ou=example,ou=users,ou=cuentas,dc=example,dc=es
> nslcd: [8b4567] <passwd=3816> DEBUG: ldap_result():
> uid=jesus.maria,ou=example,ou=users,ou=cuentas,dc=example,dc=es
> nslcd: [8b4567] <passwd=3816> error writing to client: Broken pipe
The problem here is that the user id 3816 is shared by a number of
users. The client library is just expecting one response and closes the
connection after reading the first response (mmoreda in this case). The
two other users can probably be written by nslcd before any error
because of buffering.
The NSS interfaces do not properly support multiple users with the same
numeric user id (or with the same username for that matter). At least
nscd seems to have issues with such set-ups.
If you cannot give each user a unique numeric user id and you are aware
of the security implications of this set-up you could just ignore these
errors. The errors do not cause any problems and things should just
work.
A way to avoid the errors is to make a dummy user in /etc/passwd with
numeric uid 3816. This would ensure that all reverse lookups like the
above will not hit nslcd (this is even a slight performance
improvement).
If you have no additional information for this bug I plan to close it in
a couple of days. Thanks for the clear bug report, especially the debug
information made it easy to pinpoint.
Hope this helps,
--
-- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
