lists.arthurdejong.org
RSS feed

Re: both nscd and nslcd needed?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: both nscd and nslcd needed?



Arthur de Jong schreef op 26-1-2014 14:17:
> On Sun, 2014-01-26 at 13:01 +0100, Egbert wrote:
>> Jan 25 11:01:16 sftp nslcd[5304]: [79ec49] <group/member="bas"> 
>> ldap_result() failed: Can't contact LDAP server
>> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> 
>> ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb1-int.hobby.nl/): Can't 
>> contact LDAP server: Transport endpoint is not connected
>> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> failed to 
>> bind to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/: Can't contact LDAP 
>> server: Transport endpoint is not connected
>> Jan 25 11:01:19 sftp nslcd[5304]: [79ec49] <group/member="bas"> connected to 
>> LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
>> Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root"> connected 
>> to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
>> Jan 25 11:05:01 sftp nslcd[5304]: [8125cf] <group/member="root"> 
>> ldap_result() failed: Can't contact LDAP server
>> Jan 25 11:35:01 sftp nslcd[5304]: [73983a] <group/member="root"> 
>> ldap_result() failed: Can't contact LDAP server
>> Jan 25 12:45:01 sftp nslcd[5304]: [d0ad81] <group/member="root"> 
>> ldap_result() failed: Can't contact LDAP server
>> Jan 25 15:35:01 sftp nslcd[5304]: [7d63f4] <group/member="root"> 
>> ldap_result() failed: Can't contact LDAP server
>> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> 
>> ldap_start_tls_s() failed (uri=ldap://hcc-ldap-lb2-int.hobby.nl/): Can't 
>> contact LDAP server: Transport endpoint is not connected
>> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> failed to 
>> bind to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/: Can't contact LDAP 
>> server: Transport endpoint is not connected
>> Jan 25 15:35:04 sftp nslcd[5304]: [7d63f4] <group/member="root"> connected 
>> to LDAP server ldap://hcc-ldap-lb1-int.hobby.nl/
>> Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root"> connected 
>> to LDAP server ldap://hcc-ldap-lb2-int.hobby.nl/
>> Jan 25 16:35:01 sftp nslcd[5304]: [a85f4d] <group/member="root"> 
>> ldap_result() failed: Can't contact LDAP server
> Running nslcd in debugging mode (-d) may provide more information on
> what is going wrong in this case. There seems to be something going
> wrong in the TLS side of things affecting open connections (the
> ldap_result() errors) and some new connections (failed to bind errors).
>
> Perhaps there is a connection timeout somewhere set on the server? You
> can work around this by cleanly closing the connection from the client
> side with:
>   idle_timelimit 120
This goes into nslcd.conf, is it? I might go with no-tls. Traffic is
over the internal network anyway.
>> Jan 25 17:44:07 sftp nslcd[1423]: version 0.8.13 starting
>> Jan 25 17:44:12 sftp nslcd[1423]: accepting connections
>> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing initialization 
>> - please fix the application
>> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt warning: missing initialization 
>> - please fix the application
>> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt notice: state transition 
>> Power-On => Fatal-Error
>> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt error: fatal error in file 
>> visibility.c, line 1283, function gcry_create_nonce: called in 
>> non-operational state
>> Jan 25 17:44:12 sftp nslcd[1423]: Libgcrypt terminated the application
> This is a known bug in Libgcrypt (or the library calling it) that I also
> run into sometimes. More information is available here:
>   http://bugs.debian.org/643948
>
> Sadly, no information on workarounds or fixes is available. I myself am
> only seeing this occasionally during system boot. Are you seeing it also
> in other circumstances?
I've seen it only after reboot. but if it prevents nslcd from starting,
I have to figure out a way to restart it.
>> Jan 26 10:55:02 sftp nslcd[18625]: [3c9869] <passwd=309> (re)loading 
>> /etc/nsswitch.conf
> nslcd checks /etc/nsswitch.conf to see whether shadow lookups are also
> performed using the LDAP map to see what information to return in the
> password field for users ("*" or "x"). If nslcd detects that
> nsswitch.conf that is modified it rechecks it automatically. These log
> lines are to be expected at least once after start-up, if they happen
> more often, something or someone is modifying nsswitch.conf.
No only after reboot. nsswitch is not  being altered:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

TNX, Egbert Jan

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/