Re: nslcd randomly fails to bind to ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nslcd randomly fails to bind to ldap
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: nslcd randomly fails to bind to ldap
- Date: Wed, 09 May 2012 21:51:37 +0200
On Wed, 2012-05-09 at 10:50 -0700, John Andrunas wrote:
> I am using nslcd in Debian Squeeze and Ubuntu Lucid, and at times have
> machines that are unable to bind to the LDAP server. We are using
> Kerberos to bind, and simply restarting nslcd resolves the issue, but
> I am unable to discover the root cause. The most recent case had a
> log message to the effect of
>
> nslcd [1573]: [15ff32] error writing to client: Broken pipe
This message is about some connection issues between nslcd and the NSS
or PAM module. Recent versions (>= 0.8.7) of nss-pam-ldapd include some
fixes to reduce false positives for this but this can generally be
ignored (even for older versions) and shouldn't be related to the
connection to the LDAP server.
> This was ~ 24 hours before starting to see these
>
> nslcd [1573]: [5eb207] failed to bind to LDAP server ldaps://xx.xx.xx.xx:
> Local Error
>
> I have many machines running the same configuration, but only
> periodically see this situation. Any thoughts on what the issue is,
> or how to get to the root cause?
It could be related to expiration to Kerberos tickets but I'n not much
of an expert on Kerberos.
Getting error messages from the LDAP library is a bit tricky but recent
versions (again >= 0.8.7) provide some more details on the errors if
available. Before that you can end up with vague errors like "Local
Error".
If you can reproduce the problem running nslcd with the -d option (and
perhaps more -d options to also provide debugging info directly from the
LDAP library) it could be easier to diagnose though.
Another place that you could look is on the logs on the LDAP server. The
log message indicates that the connection to the LDAP server was
established but the bind failed.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/