OpenLDAP WTF

Since NIS has seen its hayday (in the early 90ies), we switched to the highly secure LDAP+Kerberos setup. OpenLDAP is touted as the allround “Solution” to all user account management, sorry, I meant to say account provisioning. After converting our NIS passwd file to thousands of LDIF files we imported them with the obvious three-liner

 
  for i in *ldif; do \
	ldapadd -v -W -D "cn=admin,dc=our,dc=domain" \
	    -c -H ldapi:/// -f $i
  done
 
 

After fiddling with half a dozen files in /etc, the client systems could look up user data on the LDAP server. Our test for that was

 
  getent passwd aknownuser
  getent passwd anotherknownuser
 
 

So it seemed plausible to create a list of all users by

	
  getent passwd | awk -F: '{print $1}' > allourusers
	

and install that as a list of valid recipients of e-mails.

This was a grave error, because one of the manymany default settings of OpenLDAP is to return only the first 500 answers to any request. So the list was short by a few hundred accounts.

Considering that LDAP has no concept of a cursor and one cannot ask for the next 500  entries, one can only ask

What the fsck were they thinking???

Mon, 28 Nov 2011
[/osfail] permanent link