Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- From: Thomas Koeller <thomas [at] koeller.dyndns.org>
- To: Aaron Hicks <HicksA [at] landcareresearch.co.nz>
- Cc: "pamldap [at] padl.com" <pamldap [at] padl.com>, "nssldap [at] padl.com" <nssldap [at] padl.com>
- Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- Date: Thu, 25 Jun 2009 21:34:39 +0200
Am Donnerstag, 25. Juni 2009 06:35:22 schrieb Aaron Hicks:
> When I set up LDAP authentication and restart the server, non-local logins
> take a very long time (while nss_ldap tries to connect to the server and
> fails) before failing. There are no messages in /var/log/auth, but
> /var/log/messages is full of:
>
> Jun 25 15:24:46 vmcluster gdm[5986]: nss_ldap: could not search LDAP server
> - Se rver is unavailable
> Jun 25 15:30:28 vmcluster gdm[5969]: nss_ldap: could not search LDAP server
> - Se rver is unavailable
> Jun 25 15:33:29 vmcluster gdm[5969]: nss_ldap: could not search LDAP server
> - Se rver is unavailable
Hi Aaron,
I had a problem very similar to the one you are describing: although querying
the LDAP server using the ldapsearch command appeared to work just well, there
were many error messages about the server being unavailable in my log file.
Since in my case the server was running on the local machine, and both
pam_ldap and nss_ldap were configured to communicate with it through a unix
domain socket (ldapi:/// uri), I really could not understand why the server
would be unavailable only sporadically. Analyzing the problem I found that at
times there were lots of open connections to the server, exhausting its
configured limit, and causing it to reject further connection requests. All
those connections had been left behind by requests that had already completed,
and remained open until the server's connection timeout had been reached.
I changed the 'nss_connect_policy' in the nss_ldap config file from its
default value 'persist' to 'oneshot', instructing the client to close its
connection after every request, and the problem went away. Using nscd, as has
been suggested, tends to alleviate the problem by causing nss_ldap to be
invoked less frequently, but is not a real solution.
I think that 'persist' has been made the default value for
'nss_connect_policy' based on the assumption that the client is re-using open
connections, but obviously nss_ldap (and pam_ldap?) does not do this and
always opens a new connection for every request (I am just guessing, not being
involved in ldap development).
Hope this helps,
Thomas
--
Thomas Köller
- Re: [pamldap] RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s), (continued)
RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s),
Aaron Hicks
Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s),
Thomas Koeller
Message not available