There seems to be ldap-related bugs in nss_ldap & the nscd daemon in the
release of redhat 4.6. See redhat bugzilla #404751, #434842, #221199, etc.
The quick fix is to use the previous version of nss_ldap
(nss_ldap-226-18). My guess is that the long default timeout values
cause logins to fail. I disabled the nscd service and reduced the
timelimit values in the ldap.conf settings.
> Hi list,
> I'm having troubles with nss_ldap on our SLC4 box (set up to fetch
> updates from 4x). It is fully updated and versions of interesting
> packages are these:
>
> nscd-2.3.4-2.39
> nss_ldap-226-20
>
> My /etc/openldap/ldap.conf looks like this:
>
> URI ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
> ldap://ldap1.farm.particle.cz/ # this is one line
> BASE dc=farm,dc=particle,dc=cz
> TLS_CACERT /etc/openldap/cesnet.pem
> TLS_REQCERT demand
> TIMELIMIT 5
>
> /etc/ldap.conf:
>
> base ou=People,dc=farm,dc=particle,dc=cz
> timelimit 5
> bind_timelimit 5
> idle_timelimit 3600
> pam_member_attribute gid
> pam_password exop
> nss_base_passwd ou=People,dc=farm,dc=particle,dc=cz?sub
> nss_base_passwd ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
> nss_base_shadow ou=People,dc=farm,dc=particle,dc=cz?sub
> nss_base_shadow ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
> nss_base_group ou=Groups,dc=farm,dc=particle,dc=cz?sub
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> # nss_initgroups_ignoreusers and root,... is on one line
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cesnet.pem
> uri ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
> ldap://ldap1.farm.particle.cz/ # one line again
> ssl start_tls
> pam_password md5
>
>
> /etc/nsswitch.conf:
>
> passwd: files ldap
> shadow: files
> group: files ldap
> hosts: files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> These files are adapted from system-config-auth's output on a SL51 box.
>
> When nscd breaks, then after ssh into that box, I see the message about
> last login, but the connection is closed immediately. When I issue `id`
> as root from an already-opened connection, it doesn't print anything
> (and root is in /etc/passwd).
>
> stracing the nscd shows that it has too many open files and I can see a
> lot (about 1000) sockets in /proc/$nscd_pid/fd/. Google suggests that
> this is a result of a bug in either nscd or any of libs it uses, in my
> case obviously nss_ldap.
>
> So, has anybody else seen such a behavior? Any workarounds?
>
> Cheers,
> -jkt
--
Chris Hunter
[log in to unmask]
|