Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Red Hat This forum is for the discussion of Red Hat Linux.


  Search this Thread
Old 12-02-2005, 04:06 AM   #1
LQ Newbie
Registered: Dec 2005
Posts: 1

Rep: Reputation: 0
CPU usage of Processes when authenticating against Ldap on Rehat Enterprise 4 with MP


we changed some Redhat Enterprise Multiprocessor Workstations to authenticate against Active Directory LDAP with OpenLDAP client (not samba with winbind).

Login works fine but we ran in strange problems.
Note: These problems don't appear with Redhat Enterprise 3 (Kernel 2.4) or with Enterprise 4 (Kernel 2.6) booted with Single Processor kernel, only kernel 2.6 Multiprocessor with ldap authenticated user (not local user).

When authenticated against ldap (console or graphic, no difference) and starting a program (process), some background processes which idled before grab the whole cpu time. These are not only processes of this user but also of other ldap authenticated users. System is running at it's limit then. When killing the initial process the system becomes reusable and processes idle again.
Running nscd service does not change behaviour.
We don't know if it's a kernel or a ldap problem or something else.

Anyone has a clue for this strange behaviour?



Last edited by VioletRain; 12-02-2005 at 04:15 AM.
Old 09-13-2007, 03:40 PM   #2
Registered: Sep 2003
Location: GMT -08:00
Distribution: Ubuntu, RHEL/CentOS, Fedora
Posts: 234

Rep: Reputation: 42

I am getting a similar problem with RHEL5. We have RHEL5 running with an x86_64 kernel on dual xeons (dual core, 4 cores total). Same kind of setup: pam_ldap and nss_ldap, not samba or winbind, with AD servers.

Basically, what happens is if I do some operation that requires the directory, I see nscd go up to 100% cpu and doesn't come down. Some queries return successfully, some return after several seconds, and some just hang also sitting at 100% cpu (on another core, I guess). I'm basically just trying "id <username>" for the handful of users for whom I've setup UNIX attributes in the domain.

Initially, I was seeing a ton of messages in syslog from selinux, but I still get the same behaviour after disabling selinux.

Any advice much appreciated.
Old 10-26-2007, 08:03 AM   #3
LQ Newbie
Registered: Oct 2007
Posts: 1

Rep: Reputation: 0
nscd hangs and takes 100% CPU

This appears to be a problem in all Red Hat builds and their descendants. Iíve reproduced this on RHEL5, CentOS5, FC6 and FC7. My ldap.conf is as follows:

timelimit 30
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
base dc=example,dc=com
binddn cn=<ACCOUNT>,cn=Users,dc=example,dc=com
bindpw <PASSWORD>
bind_policy soft
scope sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute LoginShell msSFU30LoginShell
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5
sasl_secprops maxssf=0
#uri ldap://
uri ldap:// ldap:// ldap:// ldap://

One interesting note is I donít see this behavior when I use just the uri of ldap://, but if I use a list of FQDN for my Active Directory domain controllers then I can reproduce the issue easily. It seems to be a problem with nss_ldap as sshd fails during the account phase of the login and also hangs taking up 100% of the CPU.
Old 01-17-2008, 08:35 AM   #4
LQ Newbie
Registered: Jan 2008
Posts: 1

Rep: Reputation: 0
Solutions - perhaps

The solution seems to be to add "referrals no" in the /etc/ldap.conf .
The problem is related to the entry of group: files, ldap in nsswitch.conf
Old 01-21-2008, 04:43 PM   #5
Registered: Sep 2003
Location: GMT -08:00
Distribution: Ubuntu, RHEL/CentOS, Fedora
Posts: 234

Rep: Reputation: 42
Originally Posted by heitbaum View Post
The solution seems to be to add "referrals no" in the /etc/ldap.conf .
The problem is related to the entry of group: files, ldap in nsswitch.conf

"referrals no" seems to solve this for me (RHEL 5, x86_64).


ldap, nssldap, rhel

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
mail server authenticating to ldap zachts Linux - Networking 1 09-27-2005 12:12 PM
LDAP, VSFTPD Not authenticating. dlublink Linux - Networking 3 01-19-2005 06:49 PM
rehat linux enterprise 2.1 dramous Linux - Newbie 5 10-05-2004 02:43 PM
how to determine cpu usage, memory usage, I/O usage by a particular user logged on li rags2k Programming 4 08-21-2004 04:45 AM
How can I capping the CPU usage of processes ideasman Linux - Software 0 04-01-2004 03:52 AM > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 10:10 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration