Re: [nssldap] NSS_Ldap fails only the first time with "server is unavailable"
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: [nssldap] NSS_Ldap fails only the first time with "server is unavailable"
- From: Nathan March <nathan [at] gossamer-threads.com>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] NSS_Ldap fails only the first time with "server is unavailable"
- Date: Thu, 10 Jul 2008 10:15:20 -0700
For what it's worth, I've been able to work around the problem with the following ldap.conf tweaks:
#bind_policy soft nss_reconnect_tries 1 nss_reconnect_maxconntries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1Reading the comments on this page http://www.liquidx.net/blog/2006/04/03/nss_ldap-undocumented-nss_reconnect_tries/ shows that there are many users who seem to be having this problem, so it may be a bug in nss_ldap / pam_ldap instead of a configuration error as I first thought.
- Nathan Nathan March wrote:
Hey,I've just finished setting up an openldap install for client machines to auth against using pam_ldap and nss_ldap. As soon as I enabled TLS this wierd problem popped up, whenever I try to login remotely the first auth attempt will kick me out. If i enter an incorrect password, followed by the correct one then I'm able to login successfully.If i disable TLS, then it works fine. I'm using self-signed certificates. Anyone have any ideas?I'm also using the LPK openssh patches to allow for public keys to be stored in the ldap directory, this works fine on the first attempt.Thanks, Nathan Trying to login: nathan-desktop ~ $ ssh nmarch@test64 Password: <correct password here> Connection to test64 closed. nathan-desktop ~ $ ssh nmarch@test64 Password: <incorrect password> Password: <correct password> TLS certificate verification: Error, self signed certificate TLS: unable to get peer certificate. Last login: Wed Jul 9 16:35:20 2008 from office test64 root # From the logs for single failed attempt:2008-07-10T09:08:14.648288-07:00 test64 sshd(pam_unix)[19042]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=office user=nmarch 2008-07-10T09:08:14.664494-07:00 test64 sshd[19038]: Accepted keyboard-interactive/pam for nmarch from x.x.x.x port 60585 ssh2 2008-07-10T09:08:14.674388-07:00 test64 sshd[19043]: nss_ldap: could not search LDAP server - Server is unavailable 2008-07-10T09:08:14.674404-07:00 test64 sshd[19043]: fatal: login_init_entry: Cannot find user "nmarch" 2008-07-10T09:08:14.680249-07:00 test64 sshd[19038]: syslogin_perform_logout: logout() returned an errorSuccessful (after 1 failed):2008-07-10T09:08:26.367618-07:00 test64 sshd(pam_unix)[19049]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=office user=nmarch 2008-07-10T09:08:26.373739-07:00 test64 sshd[19049]: pam_ldap: error trying to bind as user "uid=nmarch,ou=People,dc=gossamer,dc=com" (Invalid credentials) 2008-07-10T09:08:28.733553-07:00 test64 sshd[19045]: error: PAM: Authentication failure for nmarch from office 2008-07-10T09:08:28.761175-07:00 test64 sshd[19050]: nss_ldap: could not search LDAP server - Server is unavailable 2008-07-10T09:08:30.224078-07:00 test64 sshd(pam_unix)[19050]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=office user=nmarch 2008-07-10T09:08:30.248725-07:00 test64 sshd[19045]: Accepted keyboard-interactive/pam for nmarch from x.x.x.x port 60586 ssh2 2008-07-10T09:08:30.271529-07:00 test64 sshd(pam_unix)[19051]: session opened for user nmarch by nmarch(uid=0)ldap client's /etc/ldap.conf: suffix "dc=gossamer,dc=com" binddn dc=gossamer,dc=com bindpw <bindpw> uri ldap://ldap/ pam_password exop ldap_version 3 bind_policy soft nss_reconnect_tries 3 pam_check_host_attr yes pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=People,dc=gossamer,dc=com nss_base_shadow ou=People,dc=gossamer,dc=com nss_base_group ou=Group,dc=gossamer,dc=com nss_base_hosts ou=Hosts,dc=gossamer,dc=com scope sub ssl on ssl start_tls TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQCERT never debug 256 ldap client's /etc/openldap/ldap.conf: TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQCERT allow BASE dc=gossamer,dc=com URI ldap://ldapTLS related lines from ldap server's slapd.conf (I've tried turning off all ACL's with no effect):TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLSVerifyClient never security ssf=1 update_ssf=112 require authc
- [nssldap] NSS_Ldap fails only the first time with "server is unavailable",
Nathan March
- Re: [nssldap] NSS_Ldap fails only the first time with "server is unavailable", Nathan March
- Prev by Date: [nssldap] NSS_Ldap fails only the first time with "server is unavailable"
- Next by Date: Re: [nssldap] Login problem, when ldap servers are not available
- Previous by thread: [nssldap] NSS_Ldap fails only the first time with "server is unavailable"
- Next by thread: [nssldap] release 0.6.4 of nss-ldapd