Re: both nscd and nslcd needed?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: both nscd and nslcd needed?
Date: Sun, 26 Jan 2014 14:17:57 +0100

On Sun, 2014-01-26 at 13:01 +0100, Egbert wrote:
> Jan 25 11:01:16 sftp nslcd[5304]: [79ec49] <group/member="bas"> ldap_result() 
> failed: Can't contact LDAP server
> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> 
> ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb1-int.hobby.nl/): Can't 
> contact LDAP server: Transport endpoint is not connected
> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> failed to 
> bind to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/: Can't contact LDAP 
> server: Transport endpoint is not connected
> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> connected to 
> LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
> Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root"> connected to 
> LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
> Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root"> 
> ldap_result() failed: Can't contact LDAP server
> Jan 25 11:35:01 sftp nslcd[5304]: [73983a] <group/member="root"> 
> ldap_result() failed: Can't contact LDAP server
> Jan 25 12:45:01 sftp nslcd[5304]: [d0ad81] <group/member="root"> 
> ldap_result() failed: Can't contact LDAP server
> Jan 25 15:35:01 sftp nslcd[5304]: [7d63f4] <group/member="root"> 
> ldap_result() failed: Can't contact LDAP server
> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> 
> ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb2-int.hobby.nl/): Can't 
> contact LDAP server: Transport endpoint is not connected
> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> failed to 
> bind to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/: Can't contact LDAP 
> server: Transport endpoint is not connected
> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> connected to 
> LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
> Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root"> connected to 
> LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
> Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root"> 
> ldap_result() failed: Can't contact LDAP server

Running nslcd in debugging mode (-d) may provide more information on
what is going wrong in this case. There seems to be something going
wrong in the TLS side of things affecting open connections (the
ldap_result() errors) and some new connections (failed to bind errors).

Perhaps there is a connection timeout somewhere set on the server? You
can work around this by cleanly closing the connection from the client
side with:
  idle_timelimit 120

> Jan 25 17:44:07 sftp nslcd[1423]: version 0.8.13 starting
> Jan 25 17:44:12 sftp nslcd[1423]: accepting connections
> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing initialization - 
> please fix the application
> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing initialization - 
> please fix the application
> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt notice: state transition Power-On 
> => Fatal-Error
> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt error: fatal error in file 
> visibility.c, line 1283, function gcry_create_nonce: called in 
> non-operational state
> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt terminated the application

This is a known bug in Libgcrypt (or the library calling it) that I also
run into sometimes. More information is available here:
  http://bugs.debian.org/643948

Sadly, no information on workarounds or fixes is available. I myself am
only seeing this occasionally during system boot. Are you seeing it also
in other circumstances?

> Jan 26 10:55:02 sftp nslcd[18625]: [3c9869] <passwd=309> (re)loading 
> /etc/nsswitch.conf

nslcd checks /etc/nsswitch.conf to see whether shadow lookups are also
performed using the LDAP map to see what information to return in the
password field for users ("*" or "x"). If nslcd detects that
nsswitch.conf that is modified it rechecks it automatically. These log
lines are to be expected at least once after start-up, if they happen
more often, something or someone is modifying nsswitch.conf.

The other lines from the logs show just startup and shutdown of nslcd.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

both nscd and nslcd needed?, Egbert
- Re: both nscd and nslcd needed?, Arthur de Jong
  - Re: both nscd and nslcd needed?, Egbert
    - Re: both nscd and nslcd needed?, Arthur de Jong

Prev by Date: Re: both nscd and nslcd needed?
Next by Date: Re: both nscd and nslcd needed?
Previous by thread: Re: both nscd and nslcd needed?
Next by thread: Re: both nscd and nslcd needed?