Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Thomas Koeller <thomas [at] koeller.dyndns.org>
To: Aaron Hicks <HicksA [at] landcareresearch.co.nz>
Cc: "pamldap [at] padl.com" <pamldap [at] padl.com>, "nssldap [at] padl.com" <nssldap [at] padl.com>
Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
Date: Thu, 25 Jun 2009 21:34:39 +0200

Am Donnerstag, 25. Juni 2009 06:35:22 schrieb Aaron Hicks:
> When I set up LDAP authentication and restart the server, non-local logins
> take a very long time (while nss_ldap tries to connect to the server and
> fails) before failing. There are no messages in /var/log/auth, but
> /var/log/messages is full of:
>
> Jun 25 15:24:46 vmcluster gdm[5986]: nss_ldap: could not search LDAP server
> - Se rver is unavailable
> Jun 25 15:30:28 vmcluster gdm[5969]: nss_ldap: could not search LDAP server
> - Se rver is unavailable
> Jun 25 15:33:29 vmcluster gdm[5969]: nss_ldap: could not search LDAP server
> - Se rver is unavailable

Hi Aaron,

I had a problem very similar to the one you are describing: although querying 
the LDAP server using the ldapsearch command appeared to work just well, there 
were many error messages about the server being unavailable in my log file. 
Since in my case the server was running on the local machine, and both 
pam_ldap and nss_ldap were configured to communicate with it through a unix 
domain socket (ldapi:/// uri), I really could not understand why the server 
would be unavailable only sporadically. Analyzing the problem I found that at 
times there were lots of open connections to the server, exhausting its 
configured limit, and causing it to reject further connection requests. All 
those connections had been left behind by requests that had already completed, 
and remained open until the server's connection timeout had been reached.

I changed the 'nss_connect_policy' in the nss_ldap config file from its 
default value 'persist' to 'oneshot', instructing the client to close its 
connection after every request, and the problem went away. Using nscd, as has 
been suggested, tends to alleviate the problem by causing nss_ldap to be 
invoked less frequently, but is not a real solution.

I think that 'persist' has been made the default value for 
'nss_connect_policy' based on the assumption that the client is re-using open 
connections, but obviously nss_ldap (and pam_ldap?) does not do this and 
always opens a new connection for every request (I am just guessing, not being 
involved in ldap development).

Hope this helps,
Thomas
-- 
Thomas Köller

Re: [pamldap] RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s), (continued)
- Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s), Thomas Koeller
- Message not available
  - RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s), Aaron Hicks

Prev by Date: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
Next by Date: [nssldap] getnetbyaddr not working with LDAP
Previous by thread: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
Next by thread: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)