Axel Thimm wrote:
On Mon, Oct 23, 2006 at 11:04:18AM +0300, "????????? ????????????? (Apostolis Papagiannakis)" wrote:
I've had similar "User unknowns" with nscd in the past. I was using dovecot ->getpwent -> nscd -> nss_ldap -> LDAP.
Are you using ldapi?
Oops, I think I sent my previous post with unreadable HTML formating. I hope this one is OK.
In /etc/ldap.conf (nss_ldap conf file) I use two ldap servers as "ldaps" URIs.
# /etc/ldap.conf uri ldaps://ldap1.auth.gr/ ldaps://ldap2.auth.gr/
apap
You need to make sure that the user nscd is running as has proper permissions to the required resources (r/w on ldapi sockets, read on ldaps' ca certs and the like). Turn on the debug level in ldap.conf (nss_ldap's, not openssl's) and sudo to the nscd user/group to test the access.
Also nscd doesn't use rootbinddn, it uses binddn.
I think file permissions have always been ok because nscd and nss_ldap usually work ok. The problem appears only when the ldap connection breaks (e.g. remote ldap server restart). We don't use rootbinddn at all. Anyway I just checked the latest version of nss_ldap and now I see interesting new relevant options are available (e.g. nss_connect_policy persist/oneshot). I will give it a try and respond back in a few days. Definately nss_ldap's bad behaviour is not really a dovecot problem. Dovecot has been rock solid here serving 30000 users (4000 different active users every day) on a single server.
apap