SCIENTIFIC-LINUX-USERS Archives

April 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: troubles with nscd and nss_ldap
From:
Christopher Hunter <[log in to unmask]>
Reply To:
Christopher Hunter <[log in to unmask]>
Date:
Sat, 12 Apr 2008 12:30:25 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (89 lines) 
There seems to be ldap-related bugs in nss_ldap & the nscd daemon in the 
release of redhat 4.6. See redhat bugzilla #404751, #434842, #221199, etc.

The quick fix is to use the previous version of nss_ldap 
(nss_ldap-226-18). My guess is that the long default timeout values 
cause logins to fail. I disabled the nscd service and reduced the 
timelimit values in the ldap.conf settings.


> Hi list,
> I'm having troubles with nss_ldap on our SLC4 box (set up to fetch
> updates from 4x). It is fully updated and versions of interesting
> packages are these:
> 
> nscd-2.3.4-2.39
> nss_ldap-226-20
> 
> My /etc/openldap/ldap.conf looks like this:
> 
> URI ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
> ldap://ldap1.farm.particle.cz/ # this is one line
> BASE dc=farm,dc=particle,dc=cz
> TLS_CACERT /etc/openldap/cesnet.pem
> TLS_REQCERT demand
> TIMELIMIT 5
> 
> /etc/ldap.conf:
> 
> base ou=People,dc=farm,dc=particle,dc=cz
> timelimit 5
> bind_timelimit 5
> idle_timelimit 3600
> pam_member_attribute gid
> pam_password exop
> nss_base_passwd ou=People,dc=farm,dc=particle,dc=cz?sub
> nss_base_passwd ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
> nss_base_shadow ou=People,dc=farm,dc=particle,dc=cz?sub
> nss_base_shadow ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub
> nss_base_group  ou=Groups,dc=farm,dc=particle,dc=cz?sub
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> # nss_initgroups_ignoreusers and root,... is on one line
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cesnet.pem
> uri ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/
> ldap://ldap1.farm.particle.cz/ # one line again
> ssl start_tls
> pam_password md5
> 
> 
> /etc/nsswitch.conf:
> 
> passwd:     files ldap
> shadow:     files
> group:      files ldap
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
> 
> These files are adapted from system-config-auth's output on a SL51 box.
> 
> When nscd breaks, then after ssh into that box, I see the message about
> last login, but the connection is closed immediately. When I issue `id`
> as root from an already-opened connection, it doesn't print anything
> (and root is in /etc/passwd).
> 
> stracing the nscd shows that it has too many open files and I can see a
> lot (about 1000) sockets in /proc/$nscd_pid/fd/. Google suggests that
> this is a result of a bug in either nscd or any of libs it uses, in my
> case obviously nss_ldap.
> 
> So, has anybody else seen such a behavior? Any workarounds?
> 
> Cheers,
> -jkt

-- 
Chris Hunter
[log in to unmask]

ATOM RSS1 RSS2