RSS feed

Re: nslcd errors talking to IPVS cluster of LDAP servers

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd errors talking to IPVS cluster of LDAP servers

On Mon, 2010-10-18 at 14:26 -0400, Ken Gaillot wrote:
> After turning off nscd, the error messages initially went away but 
> returned after a few days. I turned nslcd debugging output back on 
> (leaving nscd off); here's an example:
> nslcd: [55bac3] DEBUG: connection from pid=21724 uid=0 gid=0
> nslcd: [55bac3] DEBUG: nslcd_group_bymember(kjgaillo)
> nslcd: [55bac3] DEBUG: myldap_search(base="cn=Accounts,dc=gleim,dc=com", 
> filter="(&(objectClass=posixAccount)(uid=kjgaillo))")
> nslcd: [55bac3] ldap_result() failed: Can't contact LDAP server
> nslcd: [55bac3] ldap_abandon() failed to abandon search: Other (e.g., 
> implementation specific) error
> nslcd: [55bac3] DEBUG: myldap_get_entry(): retry search
> nslcd: [55bac3] DEBUG: simple anonymous bind to ldap://
> nslcd: [55bac3] connected to LDAP server ldap://
> nslcd: [55bac3] DEBUG: 
> myldap_search(base="ou=groups,dc=adonis,dc=shells,dc=gleim,dc=com", 
> filter="(&(objectClass=posixGroup)(|(memberUid=kjgaillo)(uniqueMember=uid=kjgaillo,cn=Accounts,dc=gleim,dc=com)))")
> nslcd: [55bac3] DEBUG: ldap_result(): end of results

What happens here is that a request failed to connect to the LDAP server
(the above can happen when the network connection is severed, which is
only detected when we are trying to get answers). The old search was
abandoned and a new search was started instead. The above should have
returned proper results to the NSS module (a bit slower than usual
perhaps though).

> It does seem that the reconnect always succeeds now, and I haven't seen 
> my original symptom (osiris reporting LDAP user accounts disappearing), 
> so perhaps this is a lesser issue when nscd is off.

There have been several people who have reported issues with using nscd.
I have not been able to reproduce any of these issues myself so it is
very hard to track down let alone fix.

You can run without nscd. The number of requests on the LDAP server will
rise somewhat but the heavy queries (get all users, etc) were always
going the LDAP server anyway (nscd doesn't cache those).

Anyway, attached are binaries of nss-pam-ldapd 0.7.11 built for
lenny/i386. I'm not sure the libpam-ldapd package will work because I
think you need a newer libpam-runtime than is available in lenny. I can
are also make a newer development snapshot available but they are
unreleased currently and have not yet been tested very thoroughly.

Thanks for reporting this.

-- arthur - - --

Attachment: libnss-ldapd_0.7.11_i386.deb
Description: application/deb

Attachment: libpam-ldapd_0.7.11_i386.deb
Description: application/deb

Attachment: nslcd_0.7.11_i386.deb
Description: application/deb

To unsubscribe send an email to or see