Re: both nscd and nslcd needed?

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: Egbert <egbert [at] vandenbussche.nl>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Reply-to: egbert [at] vandenbussche.nl
Subject: Re: both nscd and nslcd needed?
Date: Sun, 26 Jan 2014 13:01:36 +0100
Arthur de Jong schreef op 26-1-2014 12:50:
> On Sun, 2014-01-26 at 11:24 +0100, Egbert wrote:
>> We are running ldap auth on our sftp server. The ldap server is on a
>> different server on the same internal network (this is HCC hobbynet
>> network). There are situations where we find that the nscd and/or
>> nslcd daemons on the sftp server are dead and nobody can login
>> anymore.
>> 
>> Since we came from the nss-ldap service and now rely fully on your
>> nss-ldapd, we wonder if both daemons are needed. All config is in
>> nslcd.conf; we never touched the nscd.conf. Having overlapping configs
>> is confusing.
>
> nscd and nslcd serve completely separate purposes: nscd does caching for
> all NSS providers, nslcd retrieves user and group data from an LDAP
> server and makes it available to the system.
>
> nscd is not required for running nslcd. It may improve performance if
> your LDAP server is slow but some versions of nscd have been known to be
> unstable. In the situations I've experienced removing the nscd cache
> files (/var/db/nscd or /var/cache/nscd) helped.
>
> There is work ongoing to implement caching in pynslcd (a Python
> alternative drop-in to nslcd) so that should make nscd redundant.
>
> If you are seeing crashes or hangs in nslcd, could you send some more
> details? For instance, version number, any information from the logs
> regarding the problem, conditions that seem to trigger the problem, etc.
As a matter of fack I have just made an excerpt from syslog:

Jan 25 11:01:16 sftp nslcd[5304]: [79ec49] <group/member="bas">
ldap_result() failed: Can't contact LDAP server
Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas">
ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb1-int.hobby.nl/):

Can't contact LDAP server: Transport endpoint is not connected
Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> failed
to bind to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/:

Can't contact LDAP server: Transport endpoint is not connected
Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas">
connected to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root">
connected to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jan 25 11:35:01 sftp nslcd[5304]: [73983a] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jan 25 12:45:01 sftp nslcd[5304]: [d0ad81] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jan 25 15:35:01 sftp nslcd[5304]: [7d63f4] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root">
ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb2-int.hobby.nl/): Can't
contact LDAP server: Transport endpoint is not connected
Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> failed
to bind to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/: Can't contact
LDAP server: Transport endpoint is not connected
Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root">
connected to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root">
connected to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jan 25 17:44:07 sftp nslcd[1423]: version 0.8.13 starting
Jan 25 17:44:12 sftp nslcd[1423]: accepting connections
Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing
initialization - please fix the application
Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing
initialization - please fix the application
Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt notice: state transition
Power-On => Fatal-Error
Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt error: fatal error in file
visibility.c, line 1283, function gcry_create_nonce: called in
non-operational state
Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt terminated the application
Jan 26 10:54:48 sftp nslcd[18625]: version 0.8.13 starting
Jan 26 10:54:53 sftp nslcd[18625]: accepting connections
Jan 26 10:55:02 sftp nslcd[18625]: [3c9869] <passwd=309> (re)loading
/etc/nsswitch.conf
Jan 26 10:56:54 sftp nslcd[18625]: [e8944a] <passwd=309> (re)loading
/etc/nsswitch.conf
Jan 26 11:14:58 sftp nslcd[18625]: [6afb66] <passwd="x"> request denied
by validnames option
Jan 26 11:16:13 sftp nslcd[18625]: [2dba31] <passwd="x"> request denied
by validnames option
Jan 26 11:34:31 sftp nslcd[18625]: caught signal SIGTERM (15), shutting down
Jan 26 11:34:31 sftp nslcd[18625]: version 0.8.13 bailing out
Jan 26 11:35:14 sftp nslcd[19888]: version 0.8.13 starting
Jan 26 11:35:14 sftp nslcd[19888]: accepting connections
Jan 26 11:35:17 sftp nslcd[19888]: [8b4567] <passwd=309> (re)loading
/etc/nsswitch.conf
Jan 26 11:35:49 sftp nslcd[19888]: caught signal SIGTERM (15), shutting down
Jan 26 11:35:49 sftp nslcd[19888]: version 0.8.13 bailing out
Jan 26 11:36:32 sftp nslcd[19972]: version 0.8.13 starting
Jan 26 11:36:37 sftp nslcd[19972]: accepting connections
Jan 26 11:47:34 sftp nslcd[19972]: [b0dc51] <passwd=309> (re)loading
/etc/nsswitch.conf
Jan 26 11:57:49 sftp nslcd[19972]: [1b58ba] <passwd=309> (re)loading
/etc/nsswitch.conf

The libgcrypt warnings don't look good to me... Why the switch between
ldap server 1 and 2 occurs puzzles me. Both servers are quite stable and
operational.

Here is nslcd.conf too:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://hcc-ldap-lb1-int.hobby.nl/ ldap://hcc-ldap-lb2-int.hobby.nl/
#uri ldap://ldap2-int.hobby.nl/

# The search base that will be used for all queries.
base dc=hcc,dc=nl

# Other base mappings
base   group  ou=groups,dc=hcc,dc=nl
base   passwd ou=users,dc=hcc,dc=nl
base   shadow ou=users,dc=hcc,dc=nl

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=hobbynetlogin,ou=applicaties,dc=hcc,dc=nl
bindpw not for you to se

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
#ssl start_tls
tls_reqcert never
#tls_cacertfile /etc/ssl/certs/cacert.org.pem
#tls_cert /etc/ssl/private/server.crt
#tls_key /etc/ssl/private/server.key

# The search scope.
#scope sub

# The minimum uid
nss_min_uid 300

pam_authz_search
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))

Egbert Jan


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
both nscd and nslcd needed?, Egbert
- Re: both nscd and nslcd needed?, Arthur de Jong
  - Re: both nscd and nslcd needed?, Egbert
Prev by Date: Re: both nscd and nslcd needed?
Next by Date: Re: both nscd and nslcd needed?
Previous by thread: Re: both nscd and nslcd needed?
Next by thread: Re: both nscd and nslcd needed?