Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 29. Okt 2007, 07:45:48 -0400 schrieb Mike Frysinger: On Monday 22 October 2007, Bertram Scharpf wrote: when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. for future reference, this belongs on the users list or the forums, not the development list I asked this to the users list. My question was totally ignored. I asked the OpenLDAP list, too. There I was blocked; they told me I were off-topic. 'nss_ldap' itself has no list as far as I can see. Where else should I ask? microsoft.public.outlook.general? Thanks again to Michael, Alec and Benjamin who helped me a lot. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On Monday 22 October 2007, Bertram Scharpf wrote: when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. for future reference, this belongs on the users list or the forums, not the development list -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On Monday 29 October 2007, Bertram Scharpf wrote: Am Montag, 29. Okt 2007, 07:45:48 -0400 schrieb Mike Frysinger: On Monday 22 October 2007, Bertram Scharpf wrote: when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. for future reference, this belongs on the users list or the forums, not the development list I asked this to the users list. My question was totally ignored. I asked the OpenLDAP list, too. There I was blocked; they told me I were off-topic. 'nss_ldap' itself has no list as far as I can see. Where else should I ask? microsoft.public.outlook.general? while that sucks, it still does not make it appropriate for this list -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger: while that sucks, it still does not make it appropriate for this list As I wrote in the first post the problem appeared when I upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of time I was not able to decide whether the problem was Gentoo-specific or not. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On Mon, Oct 22, 2007 at 09:56:59PM +0200, Bertram Scharpf wrote: Hi, Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann: On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. Yes, it does. Therefore, use something like the following line in /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap,cron,portage Ah, I did not know this yet. I see the problem in whole is more complicated. Even though Alec enters caveats I will use the ignore solution for now. What was troubling me was that I didn't know what was going on at all. I was busy with other things, so I didn't get to this. It's not unique to Gentoo, but rather it is more apparent on Gentoo because of how users do things. The RHEL documentation on LDAP server (mind you, I last read it before they did their own Fedora Directory Server) had big warnings about not using nss_ldap on the machine that housed your slapd. Secondly, the glibc NSS lookup for a numeric UID has a nasty bit in it: for S in NSS-sources: lookup for U in the numeric column if found, return. lookup for U in the key column (pw_name) if found, return. Doing the U is member of groups lookup is even worse, since it doesn't break out of the look as soon as possible (hence why the initgroups_ignoreusers setting is important). Now if you are doing a lookup for a non-existent numeric UID, this means that you hit the files backend twice, and the LDAP backend twice. If slapd is not available (either because it is local and not started yet, OR because networking is not available yet), the LDAP lookups will time out. The Gentoo stock /etc/ldap.conf that powers nss_ldap has settings to try to minimize the cost of the timeouts, that uses a timeout of 15 seconds per lookup. I discussed this previously with Uberlord, I can't recall the bug #. The net of it is that _every_ UID and GID used (and yes, even doing an ls can hit them!) must be present in the core system data, or it the timeout penalty must be paid for each lookup. It's easy to fall foul of this. Somewhere around, there was a NSS module that just logged every lookup instead of performing them, and it is astounding how many lookups take place during boot. -- Robin Hugh Johnson Gentoo Linux Developer Infra Guy E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgpjaMkAGKwNd.pgp Description: PGP signature
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 29. Okt 2007, 12:41:51 -0400 schrieb Mike Frysinger: On Monday 29 October 2007, Bertram Scharpf wrote: Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger: while that sucks, it still does not make it appropriate for this list As I wrote in the first post the problem appeared when I upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of time I was not able to decide whether the problem was Gentoo-specific or not. the context of not appropriate is not this list as in Gentoo specific, but as in this list is for development, not support I may venture to assume that repetitive error messages of that plenty could be seen at least as a documentation bug. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Chris Gianelloni wrote: I may venture to assume that repetitive error messages of that plenty could be seen at least as a documentation bug. Which should be filed as a bug report or sent to the gentoo-doc list. It's not a Gentoo documentation bug, so don't bother to file one, nor mention it on the gentoo-doc list. It's not our problem, either. If anything, file a bug with LDAP upstream or with RHEL's documentation; robbat2 mentioned their docs in an earlier message. signature.asc Description: OpenPGP digital signature
[gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. When running the init script there comes up an error that clutters up my syslog with a lot of useless error messages: @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ [EMAIL PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server ... nss_ldap: could not search LDAP server - Server is unavailable WARNING: No dynamic config support for database ldbm. slapd starting I found out that the Gentoo init script activates the options -u ldap -g ldap. Without them, the error messages do not appear. Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. At least when I say compat in nsswitch.conf, the error message doesn't appear as well. The thing I really wonder about is that the lines in nsswitch.conf say passwd:files ldap shadow:files ldap group: files ldap The files should be searched first. The ldap information is present in all three of them. I even tried to chown the shadow file to ldap but this didn't save me from the weird messages either. I detected I have a machine where this didn't happen. Then I upgraded from glibc-2.5-r4 to glibc-2.6.1 ... I tried to stuff log statements into glibc's nss part but I'm not experienced enough in glibc to do that in finite time. Could this it a real bug in glibc or any of its patches? Does anybody experience the same behaviour? Thanks in advance, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: Hi, when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. When running the init script there comes up an error that clutters up my syslog with a lot of useless error messages: @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ [EMAIL PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server ... nss_ldap: could not search LDAP server - Server is unavailable WARNING: No dynamic config support for database ldbm. slapd starting I found out that the Gentoo init script activates the options -u ldap -g ldap. Without them, the error messages do not appear. Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. At least when I say compat in nsswitch.conf, the error message doesn't appear as well. instead of -u ldap -g ldap, try putting in the UID and GID. This should stop the calls to the server. The files should be searched first. The ldap information is present in all three of them. I even tried to chown the shadow file to ldap but this didn't save me from the weird messages either. Don't play with the perms on /etc/shadow, you're just openning up security holes. -- Benjamin Smee (strerror) net-mail/netmon/forensics/crypto/ldap Fingerprint: 497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee: On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ [EMAIL PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server ... nss_ldap: could not search LDAP server - Server is unavailable I found out that the Gentoo init script activates the options -u ldap -g ldap. Without them, the error messages do not appear. Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. At least when I say compat in nsswitch.conf, the error message doesn't appear as well. instead of -u ldap -g ldap, try putting in the UID and GID. This should stop the calls to the server. I forgot to mention that I tried this, too. The same messages appear. Is there a way to determine _what_ nss is asked for? I even tried to chown the shadow file to ldap but this didn't save me from the weird messages either. Don't play with the perms on /etc/shadow, you're just openning up security holes. That was just for a minute. Of course I recovered the previous state immediately. Thanks anyway so far, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. Yes, it does. Therefore, use something like the following line in /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap,cron,portage Greets, Michael -- http://hansmi.ch/ pgpT7nFYZxHSZ.pgp Description: PGP signature
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On 10/22/07, Michael Hanselmann [EMAIL PROTECTED] wrote: Hi On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. Yes, it does. Therefore, use something like the following line in /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap,cron,portage ew, what if root is in some ldap groups? :) But seriously while that most likely works, it's only hiding the problem, not solving it. Do other distributions just not run ldap as an unprivileged user? We run slapd as 'ldap' at work, but do not have this problem (but we are not running gentoo, obviously, our libraries are old and crufty). I know robbat2 knows more about this problem, it just seems odd that it's only us. -Alec Greets, Michael -- http://hansmi.ch/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On 10/22/07, Bertram Scharpf [EMAIL PROTECTED] wrote: Hi, Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee: On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ [EMAIL PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server ... nss_ldap: could not search LDAP server - Server is unavailable I found out that the Gentoo init script activates the options -u ldap -g ldap. Without them, the error messages do not appear. Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. At least when I say compat in nsswitch.conf, the error message doesn't appear as well. instead of -u ldap -g ldap, try putting in the UID and GID. This should stop the calls to the server. I forgot to mention that I tried this, too. The same messages appear. Is there a way to determine _what_ nss is asked for? Sure, turn on nscd in super debug mode and you should see most, if not all the requests. -Alec I even tried to chown the shadow file to ldap but this didn't save me from the weird messages either. Don't play with the perms on /etc/shadow, you're just openning up security holes. That was just for a minute. Of course I recovered the previous state immediately. Thanks anyway so far, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 08:48:59 -0700 schrieb Alec Warner: On 10/22/07, Bertram Scharpf [EMAIL PROTECTED] wrote: Is there a way to determine _what_ nss is asked for? Sure, turn on nscd in super debug mode and you should see most, if not all the requests. A _really_ cool idea. Thanks! It's indeed the initgroups query that starts to spin. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann: On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. Yes, it does. Therefore, use something like the following line in /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap,cron,portage Ah, I did not know this yet. I see the problem in whole is more complicated. Even though Alec enters caveats I will use the ignore solution for now. What was troubling me was that I didn't know what was going on at all. Thank you both, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
