Hi,
Our Truenas is accessing the local LDAP server too much. I have looked at the pam settings and it prioritises ldap for every user search.We see that TrueNAS-13.0-U5.1 is making too many LDAP queries.
The strangest thing is that it even searches local users and local groups in ldap too.
Here are some fragments of the logs:
If you pay attention to this log, Truenas is looking for a user with uid 1004, and this user is local and created through the Truenas web interface.
Here is the pam setting for sudo:
We have ldap integration configured:
We see in the logs of the ldap queries of local users. Is there any way to fix it?
Our Truenas is accessing the local LDAP server too much. I have looked at the pam settings and it prioritises ldap for every user search.We see that TrueNAS-13.0-U5.1 is making too many LDAP queries.
The strangest thing is that it even searches local users and local groups in ldap too.
Here are some fragments of the logs:
Code:
May 15, 2023 @ 17:02:46.953 +00:00 646265b6.38cd1dda 0x7f83ce74ab38 conn=112166 op=2 SRCH attr=objectClass cn ipServicePort ipServiceProtocol modifyTimestamp - May 15, 2023 @ 17:02:46.953 +00:00 646265b6.38d08aa7 0x7f83ce74ab38 conn=112166 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000026 etime=0.000367 nentries=0 text= - May 15, 2023 @ 17:02:46.953 +00:00 646265b6.38cc4112 0x7f83ce74ab38 conn=112166 op=2 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(cn=https)(objectClass=ipService))" Mar 18, 2023 @ 13:59:46.662 +00:00 6415c3d2.27731c00 0x7fabe5d99b38 conn=1000 op=173595 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=1004))" - Mar 18, 2023 @ 13:59:46.662 +00:00 6415c3d2.27769235 0x7fabe5d99b38 conn=1000 op=173595 SEARCH RESULT tag=101 err=0 qtime=0.000022 etime=0.000268 nentries=0 text= - Mar 18, 2023 @ 13:59:46.661 +00:00 6415c3d2.2769bf98 0x7fabe3f93b38 conn=1000 op=173594 SEARCH RESULT tag=101 err=0 qtime=0.000024 etime=0.000239 nentries=0 text= - Mar 18, 2023 @ 13:59:46.661 +00:00 6415c3d2.27675a56 0x7fabe3f93b38 conn=1000 op=173594 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber - Mar 18, 2023 @ 13:59:46.661 +00:00 6415c3d2.2766c66f 0x7fabe3f93b38 conn=1000 op=173594 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))" - Mar 18, 2023 @ 13:59:46.660 +00:00 6415c3d2.275971c9 0x7fabe0387b38 conn=1000 op=173593 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber - Mar 18, 2023 @ 13:59:46.660 +00:00 6415c3d2.27585dec 0x7fabe0387b38 conn=1000 op=173593 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))" - Mar 18, 2023 @ 13:59:46.660 +00:00 6415c3d2.275d1ea5 0x7fabe0387b38 conn=1000 op=173593 SEARCH RESULT tag=101 err=0 qtime=0.000034 etime=0.000374 nentries=0 text= - Mar 18, 2023 @ 13:59:46.658 +00:00 6415c3d2.2739204f 0x7fabe218db38 conn=1000 op=173592 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))" - Mar 18, 2023 @ 13:59:46.658 +00:00 6415c3d2.273ac522 0x7fabe218db38 conn=1000 op=173592 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber - Mar 18, 2023 @ 13:59:46.658 +00:00 6415c3d2.273ff485 0x7fabe218db38 conn=1000 op=173592 SEARCH RESULT tag=101 err=0 qtime=0.000044 etime=0.000636 nentries=0 text= - Mar 18, 2023 @ 13:59:46.264 +00:00 6415c3d2.0fbf181e 0x7fabe7bffb38 conn=1000 op=173591 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=1004))" - Mar 18, 2023 @ 13:59:46.264 +00:00 6415c3d2.0fc0093d 0x7fabe7bffb38 conn=1000 op=173591 SRCH attr=member cn memberUid gidNumber Apr 22, 2023 @ 13:57:00.935 +00:00 6443e7ac.37b650e0 0x7fabef9dab38 conn=1000 op=1341901 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=r))" - Apr 22, 2023 @ 13:57:00.935 +00:00 6443e7ac.37b76466 0x7fabef9dab38 conn=1000 op=1341901 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber - Apr 22, 2023 @ 13:57:00.935 +00:00 6443e7ac.37bd76f1 0x7fabef9dab38 conn=1000 op=1341901 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.000558 nentries=0 text= - Apr 22, 2023 @ 13:56:12.160 +00:00 6443e77c.0985a839 0x7fabe218db38 conn=1000 op=1341900 SEARCH RESULT tag=101 err=0 qtime=0.000034 etime=0.000341 nentries=0 text= - Apr 22, 2023 @ 13:56:12.159 +00:00 6443e77c.09822a83 0x7fabe218db38 conn=1000 op=1341900 SRCH attr=member cn memberUid gidNumber
If you pay attention to this log, Truenas is looking for a user with uid 1004, and this user is local and created through the Truenas web interface.
Here is the pam setting for sudo:
Code:
# PAM configuration for the "sudo" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so try_first_pass ignore_unknown_user ignore_authinfo_unavail no_warn minimum_uid=1000 auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail no_warn minimum_uid=1000 account required pam_unix.so # session session required pam_permit.so # password password sufficient /usr/local/lib/pam_ldap.so use_authtok ignore_unknown_user ignore_authinfo_unavail no_warn minimum_uid=1000 password required pam_unix.so no_warn try_first_pass
We have ldap integration configured:
We see in the logs of the ldap queries of local users. Is there any way to fix it?