On Nov 7, 2011, at 4:18 PM, Raymond wrote: > I have installed and configured the puppet client nodes to use LDAP to > authenicate users. > LDAP connection is OK and user can be authenicated via LDAP. > I use nscd and with my ldap config setting specify on /etc/ldap.conf > > However, puppet is not happy; and in the /var/log/messages it gives > tons of > > puppet-agent[27499]: nss_ldap: could not search LDAP server > puppet-agent[27499]: nss_ldap: reconnecting to LDAP server > > I guess LDAP server connection is slow or timeout, but could we > configure puppet client NOT to use LDAP specify on nsswitch.conf > > I search previous post; and somebody suggests to fix LDAP locally. I > think that is the ideal way; but if I don't have control on LDAP. Give > up Puppet or LDAP? > > I think should have way to configure puppet not to use the host > setting set on nsswitch.conf. > /etc/sysconfig/puppet or /etc/puppet/puppet.conf <--- anywhere we > can tell puppet to use alternative auth way other than the default > system /etc/nsswitch.conf ---- first of all, it's just a log entry that isn't necessarily a problem but indicates that perhaps some LDAP reconfiguration is probably a good idea.
Doesn't puppet-agent use root? Why is puppet-agent looking to LDAP for root user credentials? You probably should be looking at (or adding) these types of entries in /etc/ldap.conf timelimit 10 bind_timelimit 4 bind_policy soft nss_initgroups_ignoreusers \ openldap,bind,named,ldap,backup,bin,daemon,games,gnats,\ irc,landscape,libuuid,list,lp,mail,man,news,openldap,proxy,\ root,sshd,sync,sys,syslog,uucp,www-data though you should check the man pages and test for your optimal settings and the nss_initgroups_ignoreusers list I am presenting is sort of a hybrid ubuntu/centos list and your list of 'local' (not LDAP) users would likely be different. Also FWIW, I have always found nscd to be a bit painful and perhaps you can get better utility from nlscd if it's available for your distribution. nsswitch.conf is an all or none proposition. Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
