Posts etiquetados ‘NSS’

In a previous post I commented the problems related to LDAP integration of Linux with LDAP. I proposed several solutions and commented that a good configuration can be enough. Tuning the configuration, trying to avoid buggy code, minimizing locks and delays, etc…

In this post I will comment a configuration that is quite stable at the moment, using Suse 11 SP2 with Active Directory 2003 + SFU.



To integrate a Linux system with a centralized user directory (like Microsoft Active Directory) the usual solution is to configure Kerberos for Authentication (password/credential checking) and LDAP for Authorization and Access Control. The “standarized” way to implement this is using libpam_krb5libnss_ldap (by padl software) and nscd (from libc).

Kerberos integration works pretty well and I do not have too many issues with it, but I can not say the same from libnss_ldap and nscd.

In this post I will explain the anoying problems that you can find using libnss_ldap and nscd, and propose some solutions and configurations that will make it work properly. I also recomend read a previous post about the problems and solutions with connecting an Unix server to Active directory (Spanish post).

Read this article if you are experiencing problems with nscd+libnss_ldap (quoting

  • Sometimes it consumes 100% cpu (and does not stop that until being killed)
  • Sometimes it just crashes.
  • Sometimes it causes users to “vanish”
  • Sometimes it hangs and thus slows down the whole system
  • Sometimes it makes all the host work slow
  • Sometimes login a host or execute sudo/su takes a lot of time or never logins.
  • Sometimes sudo or su dies with “Segmentation Fault”
  • Sometimes a simple ‘ls’ command takes minutes.
  • etc…


We want to known who will work AIX with duplicated users and groups in the BUILTIN and LDAP databases.

In Linux, with NSS, the OS follows the rules defined in /etc/nsswitch.conf, and merges the credentials. If two users entries same name and different id or vice versa, it will get the first one. But in AIX is different.