I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable
I get a few of these errors in our syslogs every hour, and occasionally it seems I can't log in via SSH. However typically when I log in to the machine and do a "getent passwd" everything is fine. The LDAP server is from Open Directory in OS X Server 10.5.2. The version of nss_ldap is the one from Gentoo Linux, version nss_ldap-258.
My /etc/ldap.conf looks like this:
uri ldap://ldap1.example:389 base dc=example,dc=com timelimit 30 bind_timelimit 30 bind_policy soft nss_reconnect_maxconntries 5 idle_timelimit 3600 pam_password_prohibit_message Please use System Preferences on your Mac to change your directory password. nss_base_group cn=Groups,dc=zymeworks,dc=com nss_base_passwd cn=Users,dc=zymeworks,dc=com
Does anyone have any suggestions as to what I can try to do to debug and fix this ? It's really becoming irritating.
On Seg, 2008-02-25 at 23:07 -0800, Kamil Kisiel wrote:
I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable
This happens with processes that do fork(). Samba is a great example. Newer versions of nss_ldap have this fixed (I can't precise which version right now).
On Tue, Feb 26, 2008 at 8:03 AM, Andreas Hasenack ahasenack@terra.com.br wrote:
On Seg, 2008-02-25 at 23:07 -0800, Kamil Kisiel wrote:
I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable
This happens with processes that do fork(). Samba is a great example. Newer versions of nss_ldap have this fixed (I can't precise which version right now).
I doubt this is the case, as I am currently running version 258. I've updated to the latest 259 just in case it does make a difference, but I didn't see anything in the changelog that seemed to indicate it would fix anything.
On Ter, 2008-02-26 at 18:49 -0800, Kamil Kisiel wrote:
On Tue, Feb 26, 2008 at 8:03 AM, Andreas Hasenack ahasenack@terra.com.br wrote:
On Seg, 2008-02-25 at 23:07 -0800, Kamil Kisiel wrote:
I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable
This happens with processes that do fork(). Samba is a great example. Newer versions of nss_ldap have this fixed (I can't precise which version right now).
I doubt this is the case, as I am currently running version 258. I've updated to the latest 259 just in case it does make a difference, but I didn't see anything in the changelog that seemed to indicate it would fix anything.
This is what I was thinking about: 257 Luke Howard lukeh@padl.com
* patch from Ralf Haferkamp rhafer@suse.de: block SIGPIPE in atfork handler
Anyway, you should probably take this to the nssldap@padl.com mailing list.
On Mittwoch, 27. Februar 2008, Andreas Hasenack wrote:
On Ter, 2008-02-26 at 18:49 -0800, Kamil Kisiel wrote:
On Tue, Feb 26, 2008 at 8:03 AM, Andreas Hasenack
ahasenack@terra.com.br wrote:
On Seg, 2008-02-25 at 23:07 -0800, Kamil Kisiel wrote:
I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable
This happens with processes that do fork(). Samba is a great example. Newer versions of nss_ldap have this fixed (I can't precise which version right now).
I doubt this is the case, as I am currently running version 258. I've updated to the latest 259 just in case it does make a difference, but I didn't see anything in the changelog that seemed to indicate it would fix anything.
This is what I was thinking about: 257 Luke Howard lukeh@padl.com
* patch from Ralf Haferkamp <rhafer@suse.de>: block SIGPIPE in atfork handler
That patch had nothing to do with the above issue. Without the patch applications using nss_ldap sometimes just crashed silently after the fork. At least when SSL/TLS was enabled. The above logs could even be harmless I think, it might be that the LDAP server was just restarted or closed the connection because of an idletimeout. Very hard to say without really knowing under what circumstances that happened.
Anyway, you should probably take this to the nssldap@padl.com mailing list.
Yes, that would probably be better.
openldap-technical@openldap.org
-
Andreas Hasenack -
Kamil Kisiel -
Ralf Haferkamp