Re: Syslog states ldap_result() failed: Can't contact LDAP server
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Syslog states ldap_result() failed: Can't contact LDAP server
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: "Teichert, Robert" <Robert.Teichert [at] universa.de>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Syslog states ldap_result() failed: Can't contact LDAP server
- Date: Tue, 29 Mar 2011 23:22:07 +0200
On Tue, 2011-03-29 at 11:17 +0000, Teichert, Robert wrote:
> in Ubuntu Natty there are the most recent versions of the packages. I
> installed them:
>
> dpkg -l | grep -e nslcd -e libpam-ldapd -e libnss-ldapd
> ii libnss-ldapd 0.7.13 NSS module for using LDAP as a naming service
> ii libpam-ldapd 0.7.13 PAM module for using LDAP as an authentication
> service
> ii nslcd 0.7.13 Daemon for NSS and PAM lookups using LDAP
>
> But there is no improvement.
Thanks for the followup.
> Again a new debug output with the new version:
[...]
> nslcd: [495cff] DEBUG: connection from pid=24658 uid=0 gid=0
> nslcd: [495cff] DEBUG: nslcd_group_bymember(teichert)
> nslcd: [495cff] DEBUG: myldap_search(base="o=mydomain,c=de",
> filter="(&(objectClass=uv-posixAccount)(uv-userName=teichert))")
> nslcd: [495cff] ldap_result() failed: Can't contact LDAP server
> nslcd: [495cff] DEBUG: ldap_abandon()
> nslcd: [495cff] ldap_abandon() failed to abandon search: Other (e.g.,
> implementation specific) error
> nslcd: [495cff] DEBUG: ldap_unbind()
> nslcd: [495cff] DEBUG: myldap_get_entry(): retry search
> nslcd: [495cff] DEBUG: ldap_initialize(ldaps://ldap)
> nslcd: [495cff] DEBUG: ldap_set_rebind_proc()
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
> nslcd: [495cff] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap")
> nslcd: [495cff] DEBUG: myldap_search(base="o=mydomain,c=de",
> filter="(&(objectClass=uv-posixGroup)(|(memberUid=teichert)(uniqueMember=cn=teichert,cn=users,cn=accounts,cn=linux,o=mydomain,c=de)))")
> nslcd: [495cff] DEBUG: ldap_result(): end of results
It would seem that the LDAP server has closed the connection. You could
add more -d options to nslcd to get more debugging information from the
LDAP library (more -d's is more debug info) but it provides a lot of
details. The underlying cause for the ldap_result() failure would be
interesting though.
> The time between the 3 queries was about 10-30 seconds.
Can you try using the idle_timelimit nslcd.conf option to see if that
fixes it? (set it to a couple of seconds for testing)
> correct, this group contains 1134 members. Is that a problem?
It shouldn't be a problem. It is just that these kind of groups take up
a lot of memory and if a buffer fills up the request has to be retried.
It slows things down a bit, that's all.
> I still don't see a "real" problem, resulting in "i can't login" or "i
> don't get any results from my ldap server". There are just these
> strange messages in syslog. in my tests i have no problem getting the
> ldap result. But i'm a little afraid to use that setup in a production
> environment with the risk of some 1000 users not being able to login.
> Can you evaluate, if there will be a problem? And if "probably no", is
> there a way to have nslcd less verbose in syslog?
You should always test thoroughly when rolling something out to 1000
users. That being said from what I can see now is that this only slows
down some queries and is mostly a performance and annoying logging
issue.
There is no easy way to filter these kind of messages from within nslcd.
You could see if the idle_timelimit option avoids these issues but since
you're using SSL keeping the connection open would be nice (saves the
overhead of doing the SSL handshake over and over again).
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- Re: Syslog states ldap_result() failed: Can't contact LDAP server, (continued)