I'm having some odd ldap issues with connection or lack thereof to ldap server when nsswitch.conf and pam.d/system-auth are configured to used FDS ldap server.
I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host names. I've noticed these issues:
-Marty
I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host names. I've noticed these issues:
- If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. The system appears to accept the password, but sits for maybe a minute, then dumps you back to the login prompt. I've had to boot off rescue CD and shell in to remove 'ldap' from the /etc/nsswitch.conf file to get around this in some instances.
My relevant /etc/ldap.conf entries are:
passwd: files ldap
shadow: files
group: files ldap
netgroup: files ldap
- I noticed that a anhy randomly chosen client has a few connections to the ldap server that persist. The connections are tied to processes that also should have local entries only in the local /etc/passwd files. Here's an example:
# netstat -a | grep ldap
tcp 38 0 clienthostname:32771 serverhostname:ldap CLOSE_WAIT
# fuser 32771/tcp
here: 32771
32771/tcp: 3729
# ps -ef | grep 3729 | grep -v grep
ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
#
- I notice that doing a "netstat -a" on the server that most clients are using takes a long time. It spits out a bunch, then slows down when reporting the entries that are ESTABLISHED ldap connections:
tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED
I see that some clients have very many connections, I would expect just one or two. Here's one client that had a whole bunch, most disappeared before I could capture this bash shell command output. This output is for jobs associated with ports connecting to ldap server:
# for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | grep $j | grep -v grep; done; done
xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv -daemon
root 3138 3031 0 Feb20 ? 00:00:00 /usr/bin/gdm-binary bell-style none
root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X :0 -auth /var/gdm/:0.Xauth vt7
gdm 3430 3138 0 18:32 ? 00:00:00 /usr/bin/gdmgreeter
root 2477 2617 0 18:22 ? 00:00:01 sshd: [EMAIL PROTECTED]/0
root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh
I ran a similar command on a client computer where the user is running a lot of jobs, I got 53 lines of output. Basically every job is maintaining an ldap connection, I guess.
- I think I need to configure something such that the nsswitch.conf entry tells it to stop if it finds the 'files' entry and not proceed to the 'ldap' entry. I thought this would happen by default.
- I think the above problem is possibly leading to many more ldap connections than are necessary which in turn may be causing performance issues on the server, ALTHOUGH the cpu load and memory load does not appear inordinately heavy
- I tried running nscd (for caching the info) once, it seemed to cause too many problems so I turned it off. I have tried something like implementing pam_ccache, I don't think it would help the too-many-connections, just the issue with no logins when off the net.
- Here's my /etc/ldap.conf minus the usual comment lines, I'm doing anonymous binds. Maybe there's some keepalive flag that should be set or unset?:
host server1 server2
base dc=example,dc=com
ldap_version 3
scope sub
bind_timelimit 10
pam_lookup_policy yes
pam_password exop
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_group ou=Group,dc=example,dc=com?one
nss_base_services ou=Services,dc=example,dc=com?one
nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ssl/certs/servercert.pem
tls_ciphers TLSv1
pam_password md5
-Marty
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
