Slapd restarting slowly
by Joe Tseng
I recently set up a file server using Fedora and I configured it to run as a PDC with Samba and OpenLDAP. It had been running very smoothly until just last night when I discovered when I tried to restart the slapd service it would just sit there for a few minutes. After it did start I looked in /var/log/messages to see if I could glean some clues; it seems as part of "service slapd start" the system would request information from slapd in order to restart slapd. Seems pretty circular to me... I did not note any type of success message when slapd finally did wake up from suspended animation.
I did not set slapd to generate a log file previously but after I put in that parameter in slapd.conf and restarted the service I still didn't get any output. I did get this from /var/log/messages:
$ sudo tail -f /var/log/messages
Feb 28 21:00:11 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a directory)|0x20089|pictures
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a directory)|0x20089|pictures/porsche918
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: could not search LDAP server - Server is unavailable
I stopped the log when slapd was up and running:
$ sudo service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
$ sudo service slapd status
slapd (pid 5726) is running...
$ ps -ef | grep slapd
ldap 5726 1 0 21:04 ? 00:00:00 /usr/sbin/slapd -h ldap:///
-u ldap
jtseng 5756 5501 0 21:05 pts/2 00:00:00 grep slapd
My includes for slapd are as follows:
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/ldapns.schema
I imagine I won't need all of those but aside from core, inetorgperson, openldap, samba, autofs and ldapns I wouldn't know what I can discard. I know including various schemas can add to the boot time but this has not shown itself to be a problem in the recent past. As far as users are concerned it's just me, the wife, my son and three workstations.
I hope someone can clue me in... Thanks.
- Joe
10 years, 1 month
OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?
by Nan Meng
Dear list members,
I hope amateur questions could be tolerated. I would make it
professional if I could. I'm a newbie to OpenLDAP and probably even
Linux, but I have to take care of an office network (Linux servers with
Linux and PC workstations) that features email server, domain control,
file/printer sharing, user account management, web servers and so forth,
on my own without anyone's help.
Yesterday morning the power went down and so did our servers. After I
turned the servers back on, the account information system was no longer
working. Users weren't able to login with their credentials anymore,
even the root. What I did was I logged in the server (the Samba PDC,
LDAP server, Kerberos server, domain controller, email server) with
single mode, reseted the root password, and added accounts for other
individual users on the server. I know it was a bad idea. Although I got
some things working (emails, file/printer sharing), but there are still
other problems (PHP ldap_bind() from web servers fails, domain user
accounts and profiles fail to load correctly).
I know there is a centralized mechanism that handles user accounts with
the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other
things), but I don't have a clue of how they work together. I've been
trying to learn from docs and books for a long time before this power
issue, but not very successful.
My greatest problem is that I don't know how these things are working
together on my system. I believe I also lack some fundamental system
knowledge. I've been reading the docs available, but they're so abstract
to me and none of them seems to match our system configuration.
I'm hoping that I can get some help from here. Maybe some one can give
me some suggestions on how to troubleshoot in such a scenario as a
newbie, or an entry point that I can follow in order to explore the
system. I believe you can tell that I'm totally confused here without
being able to give much useful information about the problem and the
system. I'm sorry for my ignorance, but I really tried to deal with it
myself. If this thread turns out to be annoying or ridiculous, please
ignore, and I do apologize.
However, while I'm still struggling on the problem, if anyone could
help, I would really appreciate it. Thank you so much.
N.M.
10 years, 1 month
slapd 2.2.24 will not start as non root user
by Iain M Conochie
Good Afternoon,
I am attempting to upgrade my openldap 2.4.x installation to the latest
release 2.4.24. I am compiling from source. I can start slapd as the
root user but I am unable to start as a non-root user (e.g. ldap). I am
receiving the following error message:
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX
slapd: sbind.c:76: ldap_simple_bind: Assertion `(
(ld)->ld_options.ldo_valid == 0x2 )' failed.
Aborted
Is the server attempting to bind to another ldap server? This is the
"secondary" server on the network an I have the main LDAP server in
/etc/ldap.conf. Running an strace I do see slapd referencing this file:
open("/etc/ldap.conf", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0
fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0xb7fa1000
read(8, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 919
read(8, "", 4096) = 0
close(8) = 0
munmap(0xb7fa1000, 4096) = 0
stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0
geteuid32() = 0
brk(0x82b2000) = 0x82b2000
stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0
geteuid32() = 0
write(2, "slapd: sbind.c:76: ldap_simple_b"..., 95slapd: sbind.c:76:
ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )'
failed.
) = 95
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(9691, 9691, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++
Process 9691 detached
Does anyone have any ideas here?
Regards
Iain M Conochie
10 years, 1 month
openldap does not want to write log files?
by Mauricio Tavares
I am feeling rather confused here. I installed openldap in a
solaris10/sparc box but I do not seem to persuade it to write to a log
file. FYI, right now I am running slapd as root so permissions AFAIk
should not be the issue. FYI, syslog here is the old,
non-rsyslog/syslog-ng variety.
So, in the /etc/syslog.conf file I have:
local4.info /var/log/ldap.log
local4.err /var/log/ldap.log
local4.notice /var/log/ldap.log
which makes me think I should be covering every possible message sent
by slapd. Now /var/log/ldap.log is created as
-rw------- 1 root sys 0 Feb 28 16:21 ldap.log
and in the slapd.conf file I have
loglevel 11560
logfile /var/log/slapd.log
which not only should mean slapd is blabbing a lot to the log file.
Also note I am telling it to write to /var/log/slapd.log,
-rw------- 1 root sys 0 Mar 1 07:39 slapd.log
When I start slapd (after restarting syslog just in case), nothing is
written to those two log files. In fact, the only clue that something
happened is the data in slapd.log changed:
-rw------- 1 root sys 0 Feb 28 16:21 ldap.log
-rw------- 1 root sys 0 Mar 1 07:40 slapd.log
Anything I am missing here?
10 years, 1 month
multiple certificates on one LDAP server
by Yann CUEFF
Hello,
Is someone know how to use multiple certificates on one LDAP Server ?
I need to use Thawte/Verisign SSL certificate and self signed SSL
certificate on one LDAP server.
I don't find any information about that.
Regards,
Yann
Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires et les informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa destination, toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse.
Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le divulguer ou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre système, ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous remercions également d'en avertir immédiatement l'expéditeur par retour du message.
Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont sécurisées ou dénuées de toute erreur ou virus.
____________________________________________________
This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in this Message is confidential. Any use of information contained in this Message not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval.
If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return message.
E-mail communication cannot be guaranteed to be timely secure, error or virus-free.
10 years, 1 month
Poor performance on Solaris
by Juergen.Sprenger@swisscom.com
Hi,
we had some performance issues on our ldap servers running Solaris 10 sparc.
I did some tests using slamd http://www.slamd.com/ and got disturbing results:
ldap-service: OpenLDAP 2.4.23, setup identical on both boxes, threads=64, identical content.
box1:
hardware: Sun Microsystems sun4v SPARC Enterprise T5120
memory:32 GB RAM
os: Solaris 10 s10s_u9wos_14a
searches (avg/second): 1521
box2:
hardware: AMD 64 phenom 9850
memory: 8 GB RAM
os: Linux dsv00000 2.6.36.2 #1 SMP Mon Dec 27 10:09:29 CET 2010 x86_64 AMD Phenom(tm) 9850 Quad-Core Processor AuthenticAMD GNU/Linux
searches (avg/second): 22968
I am looking for some hints to improve performance on box1 to a similar level as on box2 or an explanation why on box1 performance is so bad.
As slapd.conf, ldap.conf and DB_CONFIG are identical there should not be such a big gap in performance.
Juergen Sprenger
10 years, 1 month
Password policy: possible DoS scenario
by Konstantin Boyandin
Hello,
Thanks to everyone having answered me earlier, I've managed to set up
password policy on the OpenLDAP provided in CentOS 5.5 repositories
(current version 2.3.43).
The setup: we have password policy enabled for users accounts in our
intranet. After 5 unsuccessful attempts the account is blocked for short
duration (30 seconds).
Does that mean that anyone now can keep all the accounts blocked most of
the time? Am I right that if anyone enters someone else' incorrect
password 5 times (in the given case), they will block the target account
(regardless of what IP address the attacker was connecting from)?
Narrower question: do password policy module developers plan to take
into account what IPs are used to connect (thus, blocking only access
from specific IPs)?
Thanks.
All the best,
Konstantin
10 years, 1 month