lists.arthurdejong.org
RSS feed

Re: Syslog states ldap_result() failed: Can't contact LDAP server

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Syslog states ldap_result() failed: Can't contact LDAP server



On Tue, 2011-03-29 at 11:17 +0000, Teichert, Robert wrote:
> in Ubuntu Natty there are the most recent versions of the packages. I 
> installed them:
> 
> dpkg -l | grep -e nslcd -e libpam-ldapd -e libnss-ldapd
> ii  libnss-ldapd  0.7.13  NSS module for using LDAP as a naming service
> ii  libpam-ldapd  0.7.13  PAM module for using LDAP as an authentication 
> service
> ii  nslcd         0.7.13  Daemon for NSS and PAM lookups using LDAP
> 
> But there is no improvement.

Thanks for the followup.

> Again a new debug output with the new version:
[...]
> nslcd: [495cff] DEBUG: connection from pid=24658 uid=0 gid=0
> nslcd: [495cff] DEBUG: nslcd_group_bymember(teichert)
> nslcd: [495cff] DEBUG: myldap_search(base="o=mydomain,c=de", 
> filter="(&(objectClass=uv-posixAccount)(uv-userName=teichert))")
> nslcd: [495cff] ldap_result() failed: Can't contact LDAP server
> nslcd: [495cff] DEBUG: ldap_abandon()
> nslcd: [495cff] ldap_abandon() failed to abandon search: Other (e.g., 
> implementation specific) error
> nslcd: [495cff] DEBUG: ldap_unbind()
> nslcd: [495cff] DEBUG: myldap_get_entry(): retry search
> nslcd: [495cff] DEBUG: ldap_initialize(ldaps://ldap)
> nslcd: [495cff] DEBUG: ldap_set_rebind_proc()
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [495cff] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
> nslcd: [495cff] DEBUG: myldap_search(base="o=mydomain,c=de", 
> filter="(&(objectClass=uv-posixGroup)(|(memberUid=teichert)(uniqueMember=cn=teichert,cn=users,cn=accounts,cn=linux,o=mydomain,c=de)))")
> nslcd: [495cff] DEBUG: ldap_result(): end of results

It would seem that the LDAP server has closed the connection. You could
add more -d options to nslcd to get more debugging information from the
LDAP library (more -d's is more debug info) but it provides a lot of
details. The underlying cause for the ldap_result() failure would be
interesting though.

> The time between the 3 queries was about 10-30  seconds.

Can you try using the idle_timelimit nslcd.conf option to see if that
fixes it? (set it to a couple of seconds for testing)

> correct, this group contains 1134 members. Is that a problem?

It shouldn't be a problem. It is just that these kind of groups take up
a lot of memory and if a buffer fills up the request has to be retried.
It slows things down a bit, that's all.

> I still don't see a "real" problem, resulting in "i can't login" or "i
> don't get any results from my ldap server". There are just these
> strange messages in syslog. in my tests i have no problem getting the
> ldap result. But i'm a little afraid to use that setup in a production
> environment with the risk of some 1000 users not being able to login.
> Can you evaluate, if there will be a problem? And if "probably no", is
> there a way to have nslcd less verbose in syslog?

You should always test thoroughly when rolling something out to 1000
users. That being said from what I can see now is that this only slows
down some queries and is mostly a performance and annoying logging
issue.

There is no easy way to filter these kind of messages from within nslcd.
You could see if the idle_timelimit option avoids these issues but since
you're using SSL keeping the connection open would be nice (saves the
overhead of doing the SSL handshake over and over again).

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users