Hi list,
I'm having troubles with nss_ldap on our SLC4 box (set up to fetch
updates from 4x). It is fully updated and versions of interesting
packages are these:
nscd-2.3.4-2.39
nss_ldap-226-20
My /etc/openldap/ldap.conf looks like this:
URI ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
ldap://ldap1.farm.particle.cz/ # this is one line
BASE dc=farm,dc=particle,dc=cz
TLS_CACERT /etc/openldap/cesnet.pem
TLS_REQCERT demand
TIMELIMIT 5
/etc/ldap.conf:
base ou=People,dc=farm,dc=particle,dc=cz
timelimit 5
bind_timelimit 5
idle_timelimit 3600
pam_member_attribute gid
pam_password exop
nss_base_passwd ou=People,dc=farm,dc=particle,dc=cz?sub
nss_base_passwd ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
nss_base_shadow ou=People,dc=farm,dc=particle,dc=cz?sub
nss_base_shadow ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
nss_base_group ou=Groups,dc=farm,dc=particle,dc=cz?sub
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
# nss_initgroups_ignoreusers and root,... is on one line
tls_checkpeer yes
tls_cacertfile /etc/openldap/cesnet.pem
uri ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
ldap://ldap1.farm.particle.cz/ # one line again
ssl start_tls
pam_password md5
/etc/nsswitch.conf:
passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
These files are adapted from system-config-auth's output on a SL51 box.
When nscd breaks, then after ssh into that box, I see the message about
last login, but the connection is closed immediately. When I issue `id`
as root from an already-opened connection, it doesn't print anything
(and root is in /etc/passwd).
stracing the nscd shows that it has too many open files and I can see a
lot (about 1000) sockets in /proc/$nscd_pid/fd/. Google suggests that
this is a result of a bug in either nscd or any of libs it uses, in my
case obviously nss_ldap.
So, has anybody else seen such a behavior? Any workarounds?
Cheers,
-jkt
|