Hi list, I'm having troubles with nss_ldap on our SLC4 box (set up to fetch updates from 4x). It is fully updated and versions of interesting packages are these:
nscd-2.3.4-2.39 nss_ldap-226-20 My /etc/openldap/ldap.conf looks like this: URI ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/ ldap://ldap1.farm.particle.cz/ # this is one line BASE dc=farm,dc=particle,dc=cz TLS_CACERT /etc/openldap/cesnet.pem TLS_REQCERT demand TIMELIMIT 5 /etc/ldap.conf: base ou=People,dc=farm,dc=particle,dc=cz timelimit 5 bind_timelimit 5 idle_timelimit 3600 pam_member_attribute gid pam_password exop nss_base_passwd ou=People,dc=farm,dc=particle,dc=cz?sub nss_base_passwd ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub nss_base_shadow ou=People,dc=farm,dc=particle,dc=cz?sub nss_base_shadow ou=Poolaccounts,dc=farm,dc=particle,dc=cz?sub nss_base_group ou=Groups,dc=farm,dc=particle,dc=cz?sub nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman # nss_initgroups_ignoreusers and root,... is on one line tls_checkpeer yes tls_cacertfile /etc/openldap/cesnet.pem uri ldap://ldap3.farm.particle.cz/ ldap://ldap2.farm.particle.cz/ ldap://ldap1.farm.particle.cz/ # one line again ssl start_tls pam_password md5 /etc/nsswitch.conf: passwd: files ldap shadow: files group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus These files are adapted from system-config-auth's output on a SL51 box. When nscd breaks, then after ssh into that box, I see the message about last login, but the connection is closed immediately. When I issue `id` as root from an already-opened connection, it doesn't print anything (and root is in /etc/passwd). stracing the nscd shows that it has too many open files and I can see a lot (about 1000) sockets in /proc/$nscd_pid/fd/. Google suggests that this is a result of a bug in either nscd or any of libs it uses, in my case obviously nss_ldap. So, has anybody else seen such a behavior? Any workarounds? Cheers, -jkt
smime.p7s
Description: S/MIME Cryptographic Signature
