SCIENTIFIC-LINUX-USERS Archives

April 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
troubles with nscd and nss_ldap
From:
Jan Kundrát <[log in to unmask]>
Reply To:
Jan Kundrát <[log in to unmask]>
Date:
Fri, 11 Apr 2008 14:04:15 +0200
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (2153 bytes) , smime.p7s (3516 bytes) 
Hi list,
I'm having troubles with nss_ldap on our SLC4 box (set up to fetch
updates from 4x). It is fully updated and versions of interesting
packages are these:

nscd-2.3.4-2.39
nss_ldap-226-20

My /etc/openldap/ldap.conf looks like this:

URI ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
ldap://ldap1.farm.particle.cz/ # this is one line
BASE dc=farm,dc=particle,dc=cz
TLS_CACERT /etc/openldap/cesnet.pem
TLS_REQCERT demand
TIMELIMIT 5

/etc/ldap.conf:

base ou=People,dc=farm,dc=particle,dc=cz
timelimit 5
bind_timelimit 5
idle_timelimit 3600
pam_member_attribute gid
pam_password exop
nss_base_passwd ou=People,dc=farm,dc=particle,dc=cz?sub
nss_base_passwd ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
nss_base_shadow ou=People,dc=farm,dc=particle,dc=cz?sub
nss_base_shadow ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
nss_base_group  ou=Groups,dc=farm,dc=particle,dc=cz?sub
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
# nss_initgroups_ignoreusers and root,... is on one line
tls_checkpeer yes
tls_cacertfile /etc/openldap/cesnet.pem
uri ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
ldap://ldap1.farm.particle.cz/ # one line again
ssl start_tls
pam_password md5


/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

These files are adapted from system-config-auth's output on a SL51 box.

When nscd breaks, then after ssh into that box, I see the message about
last login, but the connection is closed immediately. When I issue `id`
as root from an already-opened connection, it doesn't print anything
(and root is in /etc/passwd).

stracing the nscd shows that it has too many open files and I can see a
lot (about 1000) sockets in /proc/$nscd_pid/fd/. Google suggests that
this is a result of a bug in either nscd or any of libs it uses, in my
case obviously nss_ldap.

So, has anybody else seen such a behavior? Any workarounds?

Cheers,
-jkt

ATOM RSS1 RSS2