RSS feed

Re: nslcd randomly fails to bind to ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd randomly fails to bind to ldap

On Wed, 2012-05-09 at 10:50 -0700, John Andrunas wrote:
> I am using nslcd in Debian Squeeze and Ubuntu Lucid, and at times have
> machines that are unable to bind to the LDAP server.  We are using
> Kerberos to bind, and simply restarting nslcd resolves the issue, but
> I am unable to discover the root cause.  The most recent case had a
> log message to the effect of
> nslcd [1573]: [15ff32] error writing to client: Broken pipe

This message is about some connection issues between nslcd and the NSS
or PAM module. Recent versions (>= 0.8.7) of nss-pam-ldapd include some
fixes to reduce false positives for this but this can generally be
ignored (even for older versions) and shouldn't be related to the
connection to the LDAP server.

> This was ~ 24 hours before starting to see these
> nslcd [1573]: [5eb207] failed to bind to LDAP server ldaps://xx.xx.xx.xx: 
> Local Error
> I have many machines running the same configuration, but only
> periodically see this situation.  Any thoughts on what the issue is,
> or how to get to the root cause?

It could be related to expiration to Kerberos tickets but I'n not much
of an expert on Kerberos.

Getting error messages from the LDAP library is a bit tricky but recent
versions (again >= 0.8.7) provide some more details on the errors if
available. Before that you can end up with vague errors like "Local

If you can reproduce the problem running nslcd with the -d option (and
perhaps more -d options to also provide debugging info directly from the
LDAP library) it could be easier to diagnose though.

Another place that you could look is on the logs on the LDAP server. The
log message indicates that the connection to the LDAP server was
established but the bind failed.

-- arthur - - --
To unsubscribe send an email to or see