Re: slapd won't start with nss_ldap.conf
On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote: On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf present, it just hangs and nothing in the messages or debug logs. I just copied ldap.conf to nss_ldap.conf, see contents below. To try and identify the problem, can I ask - when you say slapd doesn't start, how long have you waited? There is a chicken-and-egg problem with slapd on a host which is running nss_ldap. To start a process, the system has to adopt the user and group privileges of the process owner, which means enumerating all the groups for that user from every source of group information - including LDAP on a system running nss_ldap. So, to start slapd, the system needs the group info for user ldap - from slapd. It times out and retries a few times, and eventually starts slapd using the group information from /etc/passwd and /etc/group, but the timeout and retry options by default take several minutes. The delay can be even longer depending how many other services are being started first and therefore how many nss_ldap lookup timeouts occur during boot. There are a number of possible solutions depending which version of nss_ldap you're running - searching for nss_ldap bind_policy nss_reconnect_tries will produce a number of suggestions and ``problem reports''. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slapd won't start with nss_ldap.conf
On Fri, 2008-05-09 at 22:44 +0200, Jonathan McKeown wrote: On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote: On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf present, it just hangs and nothing in the messages or debug logs. I just copied ldap.conf to nss_ldap.conf, see contents below. So, to start slapd, the system needs the group info for user ldap - from slapd. It times out and retries a few times, and eventually starts slapd using the group information from /etc/passwd and /etc/group, but the timeout and retry options by default take several minutes. Seems my core problem is something wrong with the openldap setup on that box. I had taken the slave ldap server up to 2.3.41 and it was not having this slapd/nss_ldap startup problem. I don't know if it is bad with a synrepl slave earlier version that the master, but I just didn't want to mess with the master until it proved OK and all seems perfectly great on the slave except my boot order issue Thanks for the response, and yes, the openldap list owner finally rejected my message and gave me the pointer to start slapd with the owner and group by id instead of name. After reading the start script to get the owner and group by id in the rc.conf file, I am now starting the process in that way. While doing that I realize that I can handle boot order by name of the file and gave it a prefix of 001. I will test my changes tomorrow when I go on site to replace a UPS. If all goes well on the slave, I'll upgrade the master and see if my pesky nss_ldap issue goes away. And, yes, I was only waiting the length of time it normally took when the nss_ldap.conf file was missing, few seconds max. -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slapd won't start with nss_ldap.conf
On Friday 09 May 2008 23:09, Robert Fitzpatrick wrote: On Fri, 2008-05-09 at 22:44 +0200, Jonathan McKeown wrote: On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote: On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf present, it just hangs and nothing in the messages or debug logs. I just copied ldap.conf to nss_ldap.conf, see contents below. So, to start slapd, the system needs the group info for user ldap - from slapd. It times out and retries a few times, and eventually starts slapd using the group information from /etc/passwd and /etc/group, but the timeout and retry options by default take several minutes. Seems my core problem is something wrong with the openldap setup on that box. I had taken the slave ldap server up to 2.3.41 and it was not having this slapd/nss_ldap startup problem. I don't know if it is bad with a synrepl slave earlier version that the master, but I just didn't want to mess with the master until it proved OK and all seems perfectly great on the slave except my boot order issue It depends what else you upgraded while changing the openldap server. Earlier versions of nss_ldap had much shorter timeouts, I believe, which means the problem only manifested itself after a certain version of nss_ldap. Thanks for the response, and yes, the openldap list owner finally rejected my message and gave me the pointer to start slapd with the owner and group by id instead of name. After reading the start script to get the owner and group by id in the rc.conf file, I am now starting the process in that way. While doing that I realize that I can handle boot order by name of the file and gave it a prefix of 001. Errr, not sure what you're talking about here: man rcorder will tell you the normal way to control startup order on a recent FreeBSD. I think you'd have to be doing something rather unusual to force the old behaviour you seem to be talking about... As far as starting up with a numeric id rather than a user name, I'm not sure that will stop the lookup of group information which is actually causing the problem. Good luck. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
