Troubleshooting
Problem
Users are complaining that queries are getting errors and / or logins are very slow.
Symptom
Queries are failing.
/var/log/messages shows LDAP time outs
Logins to the NPS database are very slow
Cause
There are two common reasons that these symptoms can appear.
1. The base statement in the LDAP configuration is too open. (any LDAP server)
2. The LDAP server is Microsoft Active Directory and it is sending referrals
Environment
IBM Netezza NPS
Diagnosing The Problem
1) base statement too wide
Using ldapsearch (Technote 1973912) from the openldap-clients RPM, conduct a search on a user using the parameters in the ldap.conf or pam_ldap.conf file. Make note of the Distinguished Name and the path to the user.
If the distinguished name is cn=user,cn=Users,dc=testad,dc=netezza,dc=com then the path to the username user is cn=Users,dc=testad,dc=netezza,dc=com
If the base statement is set for dc=netezza,dc=com the search could be having to sort through thousands of entries in ldap to find the users.
Make the base statement cn=Users,dc=testad,dc=netezza,dc=com and test the search.
This will not have to sort through entries in dc=testad,dc=netezza,dc=com and can get right to where the user records are stored shortening the search time considerably.
Make note that If the base is set too narrow... it may not find all the users...
If the base statement is set to cn=USA Users,dc=testad,dc=netezza,dc=com but there are users located in cn=India Users,dc=testad,dc=netezza,dc=com then the India users could not be found on the authentication request.
In this case the base statement would have to be more open and be set for something like dc=testad,dc=netezza,dc=com
=====================================================
2) referrals
Active directory when it receives a request for a search may state that it does not have the entire record information for the user and will instead send a referral back.
RedHat will do it's best to follow the referrals but it is not always a timely action.
Since we are only interested in the username and password match and not the rest of the information contained in the ldap server it is usually much faster to add the option " referrals no" to the ldap configuration file.
With this option set , when the connection is made to the Active Directory server , the AD server is informed to disable referrals and answer the request without referring to another ldap server.
Since all of the AD LDAP servers contain the user names and passwords.. the search is much faster and often will improve the login time by 20 seconds or more depending on the environment.
Resolving The Problem
In the case of referrals, the only change needed is to add the statement
referrals no to the /etc/ldap.conf (or pam_ldap.conf)
In the case of the base statement, make the change to the line that states base
test a login (or several). If the change helps, run the nzsql set authentication command to have the base statement changed.
After making changes to the /etc ldap configuration file, the changes take effect immediately and do not require a nzstop / nzstart or a reboot.
This is a good way to check the changes without making anything permanent.
If the changes help with the issue, then the next step would be to make these changes permanent.
The /etc ldap configuration file should be copied to the configuration file located in the /nz/data/config directory.
When doing a copy of LDAP configuration files the ldap configuration file in /nz/data/config/ should be owned by nz with -rw-r-r permissions. (see technote 1987618 for naming conventions)
The information on how to run the nzsql set authentication command is located in the administrators guide.
Related Information
Was this topic helpful?
Document Information
Modified date:
03 June 2022
UID
swg21998407