Well, crap. It turns out this isn't a problem. PAM is configured for LDAP authentication and so it opens a connection each time I log in, owned by my sshd process, even though it's not using LDAP authentication for root. And the other LDAP queries I'm seeing are being sent when users authenticate via sendmail. Case closed!
On Wed, Mar 7, 2018 at 4:16 PM, David Parker <dpar...@utica.edu> wrote: > Hello, > > I have an SMTP server running Debian Wheezy (64-bit). A few weeks ago, I > stopped nscd on it, because it was holding a connection open to our LDAP > server and sending a ton of unnecessary queries to it. > > Even though nscd is not running, I am once again seeing nscd-type queries > on the LDAP server from this SMTP server, and a connection is open from the > SMTP server. But I can't seem to figure out what process is using that > connection. Every time I check using netstat or lsof, it just reports that > the socket is owned by my current sshd process. > > An example: > > root@smtp:~# netstat -anp | grep 389 > tcp 0 0 <smtp-ip>:58786 <ldap-ip>:389 ESTABLISHED > *10249/0* > > root@smtp:~# lsof -n -i :389 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > sshd *10249 root* 4w IPv4 86936230 0t0 TCP > <smtp-ip>:58786-><ldap-ip>:ldap (ESTABLISHED) > > root@smtp:~# ps -ef | grep 10249 > *root 10249 17111 0 15:49 ? 00:00:00 sshd: root@pts/0* > root 10251 10249 0 15:50 pts/0 00:00:00 -bash > root 10286 10251 0 15:54 pts/0 00:00:00 grep 10249 > > So I log out and back in, and the PID for this socket changes to my new > sshd process: > > root@smtp:~# netstat -anp | grep 389 > tcp 0 0 <smtp-ip>:58798 <ldap-ip>:389 ESTABLISHED > *10288/0* > > root@smtp:~# lsof -n -i :389 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > sshd *10288 root* 4w IPv4 86936319 0t0 TCP > <smtp-ip>:58798-><ldap-ip>:ldap (ESTABLISHED) > > root@smtp:~# ps -ef | grep 10288 > *root 10288 17111 0 15:54 ? 00:00:00 sshd: root@pts/0* > root 10290 10288 0 15:54 pts/0 00:00:00 -bash > root 10304 10290 0 15:55 pts/0 00:00:00 grep 10288 > > And all the while, LDAP queries continue to be sent over this connection. > Does anyone have any idea why I can't seem to track down the real process > which is holding this socket open? > > Thanks! > Dave > > -- > Dave Parker '11 > Database & Systems Administrator > Utica College > Integrated Information Technology Services > (315) 792-3229 > Registered Linux User #408177 > -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177