On Monday 02 June 2008 18:42:57 Gar Nelson wrote:
I'm currently using openldap-2.2.13-8.el4_6.4 on RHEL 4 and for the most part, it appears to be working.
This of course has nothing to do with OpenLDAP itself ...
I can use ldap to log in on another machine, and on a different workstation, the Apache directory browser connects and browses (and edits) just fine.
However, when watching /var/log/messages, all is not calm under the surface. A shortened snippet of the log is as follows;
May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server... May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server... [...] May 30 14:57:46 ggw-s-bdc runuser: nss_ldap: could not hard reconnect to LDAP server - Server is unavailable May 30 14:57:46 ggw-s-bdc slaptest: sql_select option missing May 30 14:57:46 ggw-s-bdc slaptest: auxpropfunc error no mechanism available May 30 14:57:46 ggw-s-bdc runuser: config file testing succeeded May 30 14:57:46 ggw-s-bdc ldap: Checking configuration files for slapd: succeeded May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP server... May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP server... [...] May 30 14:59:46 ggw-s-bdc slapd[16932]: nss_ldap: could not hard reconnect to LDAP server - Server is unavailable May 30 14:59:46 ggw-s-bdc slapd[16932]: sql_select option missing May 30 14:59:46 ggw-s-bdc slapd[16932]: auxpropfunc error no mechanism available May 30 14:59:46 ggw-s-bdc ldap: slapd startup succeeded
It takes around five minutes for ldap to come up waiting for all the bind timeouts.
I've tried googling without success
What did you google? This is a well-known problem.
, I've tried changing from host to uri, and from the local 127 address to the machine's outside IP without success.
So you don't understand the problem yet ...
SELinux is disabled. IPTables is not running. nmap localhost reports port 389 is open, along with an nmap to it's outside ip address.
But this does not apply when slapd isn't running.
I'm at a loss as to how to get "nss-ldap" to bind.
Well, it can't bind when slapd isn't running. So, maybe you should rather be trying to get it to give up sooner. So, you could consider: 1)Switching to "bind_policy soft" 2)Dropping your "timelimit" and "bind_timelimit" to reasonable values 3)Having more than one LDAP server, so a host which is supposed to be running slapd may be able to resolve users without it's own slapd running (so the details of the ldap user can be resolved, which are required for slapd to start as the ldap user). 4)Add the ldap user to the list of users in nss_initgroups_ignoreusers in your /etc/ldap.conf (however, IMHO, this just masks the real problem)
ldap.conf is as follows; # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ # # PADL Software # http://www.padl.com #
debug 256 logdir /var/log/ldap.log
#host 127.0.0.1 base dc=ggw,dc=nws,dc=noaa uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator
binddn cn=Manager,dc=ggw,dc=nws,dc=noaa bindpw [correct ldap password]
port 389
timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=ggw,dc=nws,dc=noaa?one nss_base_passwd ou=Computers,dc=ggw,dc=nws,dc=noaa?one nss_base_shadow ou=People,dc=ggw,dc=nws,dc=noaa?one nss_base_group ou=Groups,dc=ggw,dc=nws,dc=noaa?one #nss_base_hosts ou=Hosts,dc=ggw,dc=nws,dc=noaa?one #nss_base_services ou=Services,dc=ggw,dc=nws,dc=noaa?one #nss_base_networks ou=Networks,dc=ggw,dc=nws,dc=noaa?one #nss_base_protocols ou=Protocols,dc=ggw,dc=nws,dc=noaa?one #nss_base_rpc ou=Rpc,dc=ggw,dc=nws,dc=noaa?one #nss_base_ethers ou=Ethers,dc=ggw,dc=nws,dc=noaa?one #nss_base_netmasks ou=Networks,dc=ggw,dc=nws,dc=noaa?one #nss_base_bootparams ou=Ethers,dc=ggw,dc=nws,dc=noaa?one #nss_base_aliases ou=Aliases,dc=ggw,dc=nws,dc=noaa?one #nss_base_netgroup ou=Netgroup,dc=ggw,dc=nws,dc=noaa?one
ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5