Bug#1126563: nss-pam-ldapd: Docker container changes generate a lot of LDAP requests

Wed, 28 Jan 2026 05:23:19 -0800 

Source: nss-pam-ldapd
Version: 0.9.12-4
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]

Starting and stopping docker containers create changes in network interfaces.
Having LDAP authorization enabled, forces to refresh LDAP data on every 
container change, generating significant load in some cases.

Example log:

jan 28 11:30:10 monitoring systemd[1]: 
docker-99fc812e26d707617d0278991a8af6b17154733ab2f29ec41c29fe5bc31385be.scope: 
Deactivated successfully.
jan 28 11:30:10 monitoring networkd-dispatcher[3972039]:  * Sending network 
state change signal to nslcd...
jan 28 11:30:10 monitoring containerd[132665]: 
time="2026-01-28T11:30:10.753958661+02:00" level=info msg="shim disconnected" 
id=99fc812e26d707617d0278991a8af6b17154733ab2f29ec41c29fe5bc31385be 
namespace=moby
jan 28 11:30:10 monitoring containerd[132665]: 
time="2026-01-28T11:30:10.754068899+02:00" level=warning msg="cleaning up after 
shim disconnected" 
id=99fc812e26d707617d0278991a8af6b17154733ab2f29ec41c29fe5bc31385be 
namespace=moby
jan 28 11:30:10 monitoring containerd[132665]: 
time="2026-01-28T11:30:10.754097531+02:00" level=info msg="cleaning up dead 
shim" namespace=moby
jan 28 11:30:10 monitoring dockerd[132831]: 
time="2026-01-28T11:30:10.754044301+02:00" level=info msg="ignoring event" 
container=99fc812e26d707617d0278991a8af6b17154733ab2f29ec41c29fe5bc31385be 
module=libcontainerd namespace=moby topic=/tasks/delete 
type="*events.TaskDelete"
jan 28 11:30:10 monitoring networkd-dispatcher[3972039]:    ...done.
jan 28 11:30:10 monitoring nslcd[3938682]: caught signal SIGUSR1 (10), refresh 
retries

I want to propose a patch in a script: debian/nslcd.if-up

+ # ignore docker interfaces
+ case "$IFACE" in *docker*) exit 0;; esac

This would ensure, refresh signal is not sent, in case docker interfaces are 
changed.




-- System Information:
Debian Release: 12.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-37-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/nslcd.if-up b/debian/nslcd.if-up
index 512104b..8f19037 100644
--- a/debian/nslcd.if-up
+++ b/debian/nslcd.if-up
@@ -31,6 +31,9 @@ NSLCD_PIDFILE=$NSLCD_STATEDIR/nslcd.pid
 # ignore lo interface
 [ -n "$IFACE" ] && [ "$IFACE" = "lo" ] && exit 0
 
+# ignore docker interfaces
+case "$IFACE" in *docker*) exit 0;; esac
+
 # only do things when starting the interface
 [ -n "$MODE" ] && [ "$MODE" != "start" ] && exit 0
 

diff --git a/debian/nslcd.if-up b/debian/nslcd.if-up
index 512104b..8f19037 100644
--- a/debian/nslcd.if-up
+++ b/debian/nslcd.if-up
@@ -31,6 +31,9 @@ NSLCD_PIDFILE=$NSLCD_STATEDIR/nslcd.pid
 # ignore lo interface
 [ -n "$IFACE" ] && [ "$IFACE" = "lo" ] && exit 0
 
+# ignore docker interfaces
+case "$IFACE" in *docker*) exit 0;; esac
+
 # only do things when starting the interface
 [ -n "$MODE" ] && [ "$MODE" != "start" ] && exit 0

Reply via email to