Re: Constantly trying to connect to LDAP server normal?

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Mon, 2014-07-21 at 15:53 -0700, Greg Newton wrote:
> When tailing syslog I see regular attempts to authenticate every user,
> LDAP and local. So, a snippet from syslog looks like this:
> 
> ... ldap_search_ext() failed: Can't contact LDAP server: Connection reset by 
> peer
> ... no available LDAP server found, sleeping 1 seconds
> ... connected to LDAP server ldap.example.com/

The nslcd deamon by default opens up to 5 LDAP connections (configurable
with the threads configuration option) and keeps the connections open
for re-use.

From the logs it would seem that connections are closed while already
open (most commonly the server close the connection after idling out or
some network component has decided the TCP connection should be closed).
The idle_timelimit can be used to cleanly close the connection from the
nslcd side before the other side does so.

The reconnect_*time options can be used to tune the timeout handling.

> I'm not sure if this is important, but keith and steve are regular 
> users, and thedude is a local admin account which does not use LDAP for 
> authentication.

When users log in a large number of name lookups are regularly done. The
most annoying one is finding groups a user belongs to. Since a local
user can be part of LDAP groups (or the other way around) this is always
searched in all sources (even for local users).

Limiting these lookups can be done with the nss_initgroups_ignoreusers
and nss_min_uid options in nslcd.conf and minimum_uid pam_ldap option.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/