RHEL5 100% CPU with LDAP client for Active Directory

ADS integration has been available natively since Windows 2003 R2, and in heterogeneous sites this has become the preferred method of integrating login information, as well as utilizing the added security of using Kerberos wherever possible.

The following guide is a very good one, and was the source of information I have used throughout my work integrating Linux into ADS. So far it has worked quite well for RHEL4.

RHEL5, on the other hand, is a different story. While it can work, and ldap queries return sensible results, it is too common for a process to utilize 100% CPU while doing absolutely nothing.

My research brought me to the following conclusions:

  • The high CPU utilization is being caused by something RHEL5 specific (tested to work correctly for RHEL4)
  • High CPU utilization is caused by nss_ldap module.
  • Yes, it does happen to every nss related service. NSCD does not help, and gets to 100% CPU also.
  • Tracing to nss_ldap modules return after a very long time (if ever) that the session to the ADS server has somehow hanged.

You can see an example of this bug in this specific bugzilla entry.

A quick and effective workaround was used after examining the differences between configuration directives for RHEL4 and RHEL5. Forcing LDAP version 2 instead of 3 (which is the default for RHEL5 ldap client, as it attempts the highest version possible) results in a correct behavior.The line in /etc/ldap.conf is:

ldap_version 2

FYI

Tags: , ,

3 Responses to “RHEL5 100% CPU with LDAP client for Active Directory”

  1. katriel Says:

    Great tip!
    I’ve also found that it works great with RHEL4, except for some little annoying option RH didn’t add to their RPM (configurable credential cache name), which gave me some grief with sudo and the CCACHE var not being passed on.

    +Katriel

  2. admin Says:

    It worked fine for me on RHEL4, although I did not try to use ‘sudo’. Can you describe the circumstances you are talking about?

  3. xian Says:

    I’ve been searching for a workaround for a few days. Thanks much!

Leave a Reply