Package: nslcd Version: 0.7.15+squeeze2 Severity: normal Tags: upstream
It seems that the idle_timelimit setting is only checked at a new request. Let's say there's a firewall between the client with nslcd and the LDAP server. The session timeout on the firewallis 1800 seconds and idle_timelimit is set to 1500. The latter seems a reasonable setting; timeouting LDAP connections before the firewall will. Because the idle_timelimit setting is only checked at a new request, it can happen that the LDAP connection lives longer than 1800 seconds before killed by nslcd. In the meanwhile the firewall has removed the session. Then, if a new request enters nslcd and gets that LDAP connection assigned, it notices that it's expired and tries to properly clean up the connection. In this case the process of cleaning up the connection takes longer, because it doesn't get a response from the LDAP server, as the firewall doesn't have an open session anymore. For servers using nslcd that are not used frequently it's a bit annoying to have slow logins etc. I'm not sure what the best solution is. Not an easy or nice fix would be to have a thread running all the time that checks all connections for idle_timelimit and cleans them up if needed. -- System Information: Debian Release: 6.0.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages nslcd depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2. 1.5.36.1 Debian configuration management sy ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries Versions of packages nslcd recommends: ii libnss-ldapd [libnss-lda 0.7.15+squeeze2 NSS module for using LDAP as a nam ii libpam-krb5 4.3-1 PAM module for MIT Kerberos ii libpam-ldapd [libpam-lda 0.7.15+squeeze2 PAM module for using LDAP as an au ii unscd [nscd] 0.47-2 Micro Name Service Caching Daemon Versions of packages nslcd suggests: ii kstart 3.16-3 Kerberos kinit supporting AFS and -- Configuration Files: /etc/default/nslcd changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
