[nssldap] Re: disconnected nss_ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
To: nssldap [at] padl.com
Subject: [nssldap] Re: disconnected nss_ldap
Date: Sat, 24 Oct 2009 01:38:49 -0400

On Sat, 2009-10-24 at 00:34 -0400, Ryan Lynch wrote:
> 
> My bad, I just realized that you DID mention nscd--I need to learn to read.

Yeah.  :-)  Oh well.  Water under the bridge.

> But I think nscd actually has the feature that you want--are you
> familiar with the 'reload-count' option?

Yup.

> It lets you limit the number
> timeout-cycles that the daemon will tolerate before it throws out a
> cached entry.

Right.  But my experience is that even with unlimited, it doesn't take
long before the passwd entries are just gone.

But other than that, my experiments reveal that nss_ldap is called by
binaries, independently of querying nscd.  i.e. I try to log in while
the LDAP server is unavailable and get scads of messages
in /var/log/auth from nss_ldap that the ldap server is unavailable.
Such as:

Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: could not connect to any LDAP 
server as (null) - Can't contact LDAP server
Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: failed to bind to LDAP server 
ldap://ldap: Can't contact LDAP server
Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: reconnecting to LDAP server...
Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: could not connect to any LDAP 
server as (null) - Can't contact LDAP server
Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: failed to bind to LDAP server 
ldap://ldap: Can't contact LDAP server
Oct 24 01:26:09 brian-laptop-old sudo: nss_ldap: reconnecting to LDAP server 
(sleeping 1 seconds)...
Oct 24 01:26:10 brian-laptop-old sudo: nss_ldap: could not connect to any LDAP 
server as (null) - Can't contact LDAP server
Oct 24 01:26:10 brian-laptop-old sudo: nss_ldap: failed to bind to LDAP server 
ldap://ldap: Can't contact LDAP server
Oct 24 01:26:10 brian-laptop-old sudo: nss_ldap: could not search LDAP server - 
Server is unavailable

In the case of sshd, I get much the same as the above, but the remote is
disconnected without even attempting an authentication:

Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: could not connect to 
any LDAP server as (null) - Can't contact LDAP server
Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: failed to bind to LDAP 
server ldap://ldap: Can't contact LDAP server
Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: reconnecting to LDAP 
server...
Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: could not connect to 
any LDAP server as (null) - Can't contact LDAP server
Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: failed to bind to LDAP 
server ldap://ldap: Can't contact LDAP server
Oct 24 01:34:09 brian-laptop-old sshd[20430]: nss_ldap: reconnecting to LDAP 
server (sleeping 1 seconds)...
Oct 24 01:34:10 brian-laptop-old sshd[20430]: nss_ldap: could not connect to 
any LDAP server as (null) - Can't contact LDAP server
Oct 24 01:34:10 brian-laptop-old sshd[20430]: nss_ldap: failed to bind to LDAP 
server ldap://ldap: Can't contact LDAP server
Oct 24 01:34:10 brian-laptop-old sshd[20430]: nss_ldap: could not search LDAP 
server - Server is unavailable

But as soon as the LDAP server is available again, ssh to the node works
just fine.

> For example, given your desired scenario of a 10-minute cache TTL, and
> a 30 day hard timeout, you could set:
> 
>   positive-time-to-live 600      # 10 minutes
>   reload-count 4320               # 30 days / 10 minutes
> 
> If the cached value is more than 10 minutes old, 'nscd' will try to
> refresh it. If it fails to connect, it will re-set the 10-minute TTL
> and increment its reload counter by 1. This cycle repeats until the
> reload counter reaches 4,320, when it just throws out the cached
> entry, entirely.

Indeed.  My experiments were that even with unlimited, the passwd entry
for the current, logged in user disappeared.  I was going to demonstrate
on my Ubuntu Karmic laptop but I can't seem to reproduce this here.
Maybe this was a problem only on the Jaunty laptop that I was trying
previously.

> I actually use 'reload-count unlimited' to cache LDAP (AD, actually)
> users and groups. It works fine for laptops with domain accounts. With
> pam_ccreds, it pretty much works just like a local account would.

That's exactly what I am aiming for as well.

Cheers, and thanks for the update to your last post.

We should probably take this NSCD discussion offline as it's really OT
here.  Although, evidence is that, on Karmic anyway, it's working and
it's nss_ldap that is giving me grief when I am disconnected.

b.

[nssldap] Re: Re: disconnected nss_ldap, (continued)
- Re: [nssldap] disconnected nss_ldap, Ryan Lynch
  - Re: [nssldap] disconnected nss_ldap, Ryan Lynch
    - [nssldap] Re: disconnected nss_ldap, Brian J. Murrell

Prev by Date: [nssldap] Re: disconnected nss_ldap
Next by Date: Re: [nssldap] Re: disconnected nss_ldap
Previous by thread: Re: [nssldap] disconnected nss_ldap
Next by thread: [nssldap] Re: disconnected nss_ldap