Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Thanks for responding. I agree that changing the order to ?files ldap? for passwd, shadow, and group will eliminate the overly burdensome messages, I question if this is the correct approach. All our external information is stored in LDAP and is intended to be share with multiple Linux systems. Some IDs are defined locally and to LDAP as these IDs would be used when there are LDAP issues that cause authentication issues. I made the change as suggested and with some slight PAM config changes, confirmed that these messages are eliminated. However, I am thinking that we would still rather go to LDAP first and files second. I understand that these messages are produced because the network is not available and communications to the ldap server is lost. This occurs during shutdown and IPL. I believe this is why the LDAP parameter nss_initgroups_ignoreusers was developed. By specifying a list of known local users that will be running between network availability and network unavailability in the nss_initgroups_ignoreusers, that NSS will simply return a notfound condition. Of course this parameter can also be used to prevent a wasted LDAP lookup for local users we know are not defined to ldap. The default nss action is to continue so when we have ?ldap files?, the call to ldap is bypassed and we move on to files. It is my understanding that the notfound condition is immediately passed thus eliminating any ldap interaction for those users specified in nss_initgroups_ignoreusers. I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks Peter From: Patrick Spinler spinler.patr...@mayo.edu To: LINUX-390@vm.marist.edu Date: 08/18/2011 03:37 PM Subject:Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . Sent by:Linux on 390 Port LINUX-390@vm.marist.edu Your nsswitch says to search ldap before anything local. I use passwd: files ldap (same for shadow group). Thus, it never even tries ldap if it finds a local entry. This has also come in handy for a few weird exceptions where the application absolutely had to do something weird and exceptional: I could override it on the local box. For example, two apps which absolutely had to use the same group name, with different memberships. Here, we have an enterprise oracle group with dozens of hosts for which their dba's are all members of a common group. We also have a couple of one off oracle hosts for non-enterprise groups who want the same names but different memberships. It's a bit of a pain to manage those specific host exceptions, but at least it's possible using 'files ldap'. -- Pat On 8/18/11 12:47 PM, Peter E. Abresch Jr. - at Pepco wrote: I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
On 8/19/2011 at 10:53 AM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd ,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks A Google search found something that indicates perhaps having too many users listed can be a problem. They were able to get the ignore list to work with 2 entries, but having 13 didn't. This was on RHEL5 from June of this year, so fairly recent. Give that a try and see what happens. Then regardless of the result, open up a support request. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Thanks, I saw that, the default is root,ldap but that did not make a difference. I also tried other combinations and a couple of times with only root with the same results. There are many hits on a google search for this condition but no resolutions. I am seeing this condition for udevd, securitytty, and some othe services. I assume these all run under root as there are no ids or groups specifically for udevd and the rest. I am kind of stumped. I am leaning towards a possible bug at this point. Maybe something will come to be over a couple (or six) beers this weekend. Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 08/19/2011 02:45 PM Subject:Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 8/19/2011 at 10:53 AM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd ,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks A Google search found something that indicates perhaps having too many users listed can be a problem. They were able to get the ignore list to work with 2 entries, but having 13 didn't. This was on RHEL5 from June of this year, so fairly recent. Give that a try and see what happens. Then regardless of the result, open up a support request. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Your nsswitch says to search ldap before anything local. I use passwd: files ldap (same for shadow group). Thus, it never even tries ldap if it finds a local entry. This has also come in handy for a few weird exceptions where the application absolutely had to do something weird and exceptional: I could override it on the local box. For example, two apps which absolutely had to use the same group name, with different memberships. Here, we have an enterprise oracle group with dozens of hosts for which their dba's are all members of a common group. We also have a couple of one off oracle hosts for non-enterprise groups who want the same names but different memberships. It's a bit of a pain to manage those specific host exceptions, but at least it's possible using 'files ldap'. -- Pat On 8/18/11 12:47 PM, Peter E. Abresch Jr. - at Pepco wrote: I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more
