Re: nslcd errors talking to IPVS cluster of LDAP servers
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nslcd errors talking to IPVS cluster of LDAP servers
- From: Ken Gaillot <kjgaillo [at] gleim.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: nslcd errors talking to IPVS cluster of LDAP servers
- Date: Fri, 08 Oct 2010 10:39:09 -0400
Arthur de Jong wrote:
On Thu, 2010-10-07 at 11:02 -0400, Ken Gaillot wrote:
Our shop runs a bunch of Debian lenny servers, some with LDAP-based
shell access using the libnss-ldap package. We decided to give
libnss-ldapd a try on a new server. We ran into problems with our LDAP
setup.
Which version of nslcd are you using? The one in lenny is 0.6.7. Version
0.7.4 saw some changes to connection error handling and 0.7.10 has some
more fixes that should handle some networking problems better.
Also, the development version has taken out the disabling of TCP
keepalives (which was part of the nss_ldap legacy code). This could be
the reason the connection times out in the first place.
Are you able to test any newer versions? I can provide a backport
version for lenny if you like.
Yes, we're using the stock lenny version, 0.6.7. I'd be willing to try a
backport.
Can you provide some more debugging info for when this happens? You can
run nslcd with the -d option which causes debugging info to be sent to
stderr.
I turned off nscd and ran "nslcd -d" configured with the LDAP cluster
IP, and strangely enough, I don't see errors. I've turned nscd back on
to see whether that makes a difference. Here is an example of what I do
see in the nslcd debugging output:
nslcd: [e8944a] DEBUG: connection from pid=17320 uid=0 gid=107
nslcd: [e8944a] DEBUG: nslcd_group_bymember(postfix)
nslcd: [e8944a] DEBUG: myldap_search(base="cn=Accounts,dc=gleim,dc=com",
filter="(&(objectClass=posixAccount)(uid=postfix))")
nslcd: [e8944a] DEBUG: ldap_result(): end of results
nslcd: [e8944a] DEBUG:
myldap_search(base="ou=groups,dc=adonis,dc=shells,dc=gleim,dc=com",
filter="(&(objectClass=posixGroup)(memberUid=postfix))")
nslcd: [e8944a] DEBUG: ldap_result(): end of results
These appear to be routine successful messages.
Perhaps I should mention that I do see this at startup:
nslcd: /etc/nss-ldapd.conf:12: option tls_checkpeer is currently
untested (please report any successes)
nslcd: /etc/nss-ldapd.conf:13: option tls_cacertfile is currently
untested (please report any successes)
I didn't think that was a problem because some connections do succeed;
only reconnects fail. All of my real LDAP servers use the same SSL
certificate (a wildcard for our internal domain).
Thanks for reporting this.
Thank you for your efforts supporting open software. They are much
appreciated.
-- Ken Gaillot <kjgaillo@gleim.com>
Network Operations Center, Gleim Publications
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
