...

Axel Thimm wrote:

...

On Mon, Oct 23, 2006 at 11:04:18AM +0300, "????????? ????????????? (Apostolis Papagiannakis)" wrote:

...

I've had similar "User unknowns" with nscd in the past. I was using dovecot ->getpwent -> nscd -> nss_ldap -> LDAP.

Are you using ldapi?

Oops, I think I sent my previous post with unreadable HTML formating. I hope this one is OK.

In /etc/ldap.conf (nss_ldap conf file) I use two ldap servers as "ldaps" URIs.

/etc/ldap.conf

uri ldaps://ldap1.auth.gr/ ldaps://ldap2.auth.gr/

apap

You need to make sure that the user nscd is running as has proper permissions to the required resources (r/w on ldapi sockets, read on ldaps' ca certs and the like). Turn on the debug level in ldap.conf (nss_ldap's, not openssl's) and sudo to the nscd user/group to test the access.

Also nscd doesn't use rootbinddn, it uses binddn.

I think file permissions have always been ok because nscd and 

nss_ldap usually work ok. The problem appears only when the ldap connection breaks (e.g. remote ldap server restart). We don't use rootbinddn at all. Anyway I just checked the latest version of nss_ldap and now I see interesting new relevant options are available (e.g. nss_connect_policy persist/oneshot). I will give it a try and respond back in a few days. Definately nss_ldap's bad behaviour is not really a dovecot problem. Dovecot has been rock solid here serving 30000 users (4000 different active users every day) on a single server.

apap