Re: pynslcd problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: pynslcd problems
Date: Sun, 15 Jul 2012 16:33:55 +0200

On Sat, 2012-07-07 at 21:34 +0200, Jon Severinsson wrote:
> The problem isn't that the table don't exist, but that it is empty,
> which in turn is because something is wrong with tls support in
> pynslcd, so it never receives any data from ldap to put in the cache.
> If I change the config file to use "ldap://"; uris rather than
> "ldaps://" uris, and remove the tls_reqcert and tls_cacertfile
> configurations in favor of "ssl off", pynslcd works (almost) as
> advertised.

Thanks. The problem here was that the TLS options were not taken into
account. This should be fixed in SVN. The following configuration
options are however not yet implemented:
  binddn, bindpw, sasl_mech, sasl_authcid, sasl_authzid,
  sasl_secprops,   bind_timelimit, idle_timelimit, pagesize,
  nss_initgroups_ignoreusers, nss_min_uid and
  pam_password_prohibit_message
and chasing referrals over ldaps:// doesn't work probably due to a
missing callback in pynslcd.

> If the network connection is removed from a running pynslcd, any
> subsequent "getent" call will hang indefenitely. If I then restart
> pynslcd, the first "getent" call will hang for several seconds before
> returning the cached entries from the sqlite db, but further "getent"
> calls works just fine. Untill I connect to the network again, at which
> point it will continue to serve the cached data, untill I restart
> pynslcd yet again.

The change in SVN for TLS options should also respect the timelimit
option now which means that the connection shouldn't hang indefinitely.
Having said that, pynslcd currently relies op OpenLDAP to do the
fail-over and reconnecting. I think it does fail-over but not
reconnecting. In any case this is not very well tested with pynslcd and
once the LDAP server is unavailable when it comes back up is not
automatically detected.

> Oh, and the stop action of the debian init script "/etc/init.d/nslcd"
> don't work after just changing NSLCD_BIN to /usr/local/sbin/pynslcd, I
> also had to remove "--name nslcd" from the "start-stop-daemon --stop"
> calls, or it wouldn't actually kill pynslcd...

Ok, thanks. I'll see if a nicer workaround is available.

It also seems that running pynslcd in other than debug mode causes
issues with the sqlite cache for me. This is probably related to the
change in uid.

Thanks for testing,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

pynslcd problems, Jon Severinsson
- Re: pynslcd problems, Arthur de Jong
  - Re: pynslcd problems, Jon Severinsson
    - Re: pynslcd problems, Arthur de Jong

Prev by Date: Re: Support for pam_ldap configuration
Next by Date: Could you let me know if nested groups are now supported?
Previous by thread: Re: pynslcd problems
Next by thread: More pynslcd issues