Comment 1 Robin Johnson 2006-05-28 13:13:52 UTC

could you please try to run regular ldapsearch commands as nss_ldap would construct them.


ldapsearch -b ou=People,dc=novazur,dc=fr -s one -h ldap.novazur.fr uid=chris 

And see if you get the correct output?

What I do see missing from your configuration are the binddn/bindpass.

Also, your nsswitch passwd/group/shadow entries should be 'ldap compat' not 'compat ldap'

Remove the 'bind_policy soft'

and trace why this message is coming up:
"nss_ldap: could not search LDAP server - Server is unavailable"

I had problems with nss_ldap and all deamons 
that need authentication.

Everything works fine with sys-auth/nss_ldap-239-r1.

It did not matter if I choose:
  - uri ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
  - uri ldaps://ldap.paritaet-th.site/
  - uri ldap://ldap.paritaet-th.site/
in ldap.conf

Openldap itself works absolutly fine. 
I tested quering ldap from another client.

Package should instantly being masked, because it endangers 
every ldap authentication based server system.
The Error is extremly slowing down the machine.
Reboot takes about 4 min without the error and 
over 15 min with the error. 

> Also, your nsswitch passwd/group/shadow entries should be 'ldap compat' 
> not 'compat ldap'
Should not make any difference in this problem. nsswitch has allready desided 
to access via ldap.
> Remove the 'bind_policy soft'
I never had set bind_policy


Cheers JJ


/etc/ldap.conf
@(#)$Id: ldap.conf,v 2.45 2006/01/13 16:15:34 lukeh Exp $
base dc=paritaet-th,dc=de
uri ldaps://ldap.paritaet-th.site/
ldap_version 3
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_passwd         dc=paritaet-th,dc=de?sub
nss_base_shadow         dc=paritaet-th,dc=de?sub
nss_base_group          ou=groups,dc=paritaet-th,dc=de?one

/etc/nsswitch.conf
passwd:    files ldap
shadow:    files ldap
group:     files ldap
hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files

/etc/pam.d/system-auth
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok shadow
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     pam_deny.so
account    required     pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok use_authtok shadow md5
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     pam_deny.so
session    required     pam_limits.so
session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0
session    optional     /lib/security/pam_ldap.so

/var/log/messages
May 28 21:53:31 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:31 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 28 21:53:31 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:31 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 28 21:53:31 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:31 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 28 21:53:31 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:31 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 28 21:53:31 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:31 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 28 21:53:45 linux sshd[8368]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May 28 21:53:45 linux sshd[8363]: Accepted keyboard-interactive/pam for root from 172.30.0.1 port 38649 ssh2
May 28 21:53:45 linux sshd[8369]: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:45 linux sshd[8369]: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:45 linux sshd[8369]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
May 28 21:53:49 linux sshd[8369]: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:49 linux sshd[8369]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
May 28 21:53:56 linux mysqld: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:56 linux mysqld: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:53:57 linux sshd[8369]: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:53:57 linux sshd[8369]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:03 linux apache2: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:03 linux apache2: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 28 21:54:13 linux sshd[8369]: nss_ldap: failed to bind to LDAP server ldap://ldap.paritaet-th.site/: Can't contact LDAP server
May 28 21:54:13 linux sshd[8369]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...

Comment 3 Robin Johnson 2006-05-28 15:50:16 UTC

Joerg: the first line of your ldap.conf
@(#)$Id: ldap.conf,v 2.45 2006/01/13 16:15:34 lukeh Exp $

The comment character seems to be missing there?

Also, you show me a ldaps:// URI, but the logs show that it was using non-SSL.
If you are using ldaps://, where is the rest of your TLS configuration?

Also, as I said to Chris, you are lacking the binddn stuff.

First of all, I had a perfect running ldap-nss-samba-apache scenario
and it run absolutly fine until merging nss_ldap-249.

And I spend about 4 hours this afternoon finding out what's wrong, 
until i found this: 
http://forums.gentoo.org/viewtopic-t-466045-highlight-nssldap.html

Openldap work perfectly because my second server is using the openldap
data for samba and this server could connect the ldap server using the
old nss_ldap.

Now I downgraded to sys-auth/nss_ldap-239-r1 and everything is alright.

> The comment character seems to be missing there?

That's a copy and paste error.
 
> Also, you show me a ldaps:// URI, but the logs show that it was using non-SSL.
> If you are using ldaps://, where is the rest of your TLS configuration?

I said, i tried it with ldaps, ldap and ldapi. So I send you the ldaps config
but copied the ldap part from /var/log/messages
 
> Also, as I said to Chris, you are lacking the binddn stuff.

I don't need fucking binddn because anonymous login is enough. 
There are no restrictions from the ldap server side.
Firewall is doing the job for me, that only the server and the 
admin computer can access ldap.

So don't treat me like a nerd, who is configurating 
ldap the first time.

Robin :
19:27:24 chris@geri ~ $ ldapsearch -b ou=People,dc=novazur,dc=fr -s one -h ldap.novazur.fr uid=chris
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=novazur,dc=fr> with scope one
# filter: uid=chris
# requesting: ALL
#

# chris, People, novazur.fr
dn: uid=chris,ou=People,dc=novazur,dc=fr
uid: chris
cn: Christophe PEREZ
givenName: Christophe
sn: PEREZ
-------------------
All is good there.

> What I do see missing from your configuration are the binddn/bindpass.

I never had to use that with older versions.
But I'm sure my ldap server is not really well configured...Ldap seems to much difficult for me.

> Remove the 'bind_policy soft'

You got it !!
I had to try that because of udev bug : http://bugs.gentoo.org/show_bug.cgi?id=99564

Really sorry for the noise :-( and thank you for your help.

About your comment 
Joerg: the first line of your ldap.conf
You have to know that this line IS in the default config file.
# etc-update
Scanning Configuration files...
The following is the list of files which need updating, each
configuration file is followed by a list of possible replacement files.
1) /etc/ldap.conf
/etc/._cfg0000_ldap.conf
Please select a file to edit by entering the corresponding number.
              (don't use -3 or -5 if you're unsure what to do)
              (-1 to exit) (-3 to auto merge all remaining files)
                           (-5 to auto-merge AND not use 'mv -i'): 1

1) Replace original with update
2) Delete update, keeping original as is
3) Interactively merge original with update
4) Show differences again
Please select from the menu above (-1 to ignore this update): 3
/etc/._cfg0000_ldap.conf /etc/ldap.conf /etc/ldap.conf.merged
Merging /etc/._cfg0000_ldap.conf and /etc/ldap.conf
# @(#)$Id: ldap.conf,v 2.42 2005/05/20 05:33:55 lukeh Exp $   |  @(#)$Id: ldap.conf,v 2.45 2006/01/13 16:15:34 lukeh Exp $

Comment 6 Robin Johnson 2006-05-28 16:58:38 UTC

Chris: from your ldapsearch output there, nss/pam_ldap should apply the pam_filter, and reject that ldap entry (unless the objectClass just wasn't shown).

Joerg: 249 works perfectly fine in my setup, and in Chris's setup after he removed the 'bind_policy soft'. Ergo the primary remaining place for a problem is in your configuration.

Run the ldapsearch I showed Chris, with your uid instead.
'ldapsearch -x -H ldap://ldap.paritaet-th.site/ -b dc=paritaet-th,dc=de -s one uid=XXX'
Where XXX is a user that exists in ldap (not root as your other log showed).

I tested it on my own server.
nss_ldap failed there too this day.
I update to 249 again.
Waited a log time till the system booted
and then did:
bladerunner ~ # ldapsearch -x -H ldaps://bladerunner.jj.site/ -b dc=jj,dc=local -s one uid=neo-jj
# extended LDIF
#
# LDAPv3
# base <dc=jj,dc=local> with scope one
# filter: uid=neo-jj
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

So the ldapserver seams to be allright.

Maybe what is a little bit different from other installations.
I use nptl und the cflag:
CFLAGS="-march=pentium4 -O3 -pipe -mno-tls-direct-seg-refs"
to make shure, programs use nptl.

/var/log/messages
May 29 02:45:50 bladerunner ReiserFS: dm-0: found reiserfs format "3.6" with standard journal
May 29 02:45:50 bladerunner ReiserFS: dm-0: using ordered data mode
May 29 02:45:50 bladerunner ReiserFS: dm-0: journal params: device dm-0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age
30, max trans age 30
May 29 02:45:50 bladerunner ReiserFS: dm-0: checking transaction log (dm-0)
May 29 02:45:50 bladerunner ReiserFS: dm-0: Using r5 hash to sort names
May 29 02:45:51 bladerunner ddclient[6601]: WARNING:  cannot connect to checkip.dyndns.org:80 socket: IO::Socket::INET: Bad hostname 'checkip.dyndns.org'
May 29 02:50:01 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:50:01 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:50:01 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
May 29 02:50:05 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:50:05 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
May 29 02:50:06 bladerunner rc-scripts: MySQL NOT started (0)
May 29 02:50:06 bladerunner device eth0 entered promiscuous mode
May 29 02:50:12 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:50:12 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 29 02:50:28 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:50:28 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 29 02:51:00 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:51:00 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 29 02:52:04 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:04 bladerunner mysqld: nss_ldap: could not search LDAP server - Server is unavailable
May 29 02:52:04 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:04 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:04 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
May 29 02:52:08 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:08 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
May 29 02:52:16 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:16 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 29 02:52:32 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:52:32 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 29 02:53:04 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:53:04 bladerunner mysqld: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 29 02:54:08 bladerunner mysqld: nss_ldap: failed to bind to LDAP server ldaps://bladerunner.jj.site/: Can't contact LDAP server
May 29 02:54:08 bladerunner mysqld: nss_ldap: could not search LDAP server - Server is unavailable
May 29 02:54:19 bladerunner squid[7184]: Squid Parent: child process 7186 started
May 29 02:54:21 bladerunner sshd[7236]: Server listening on 0.0.0.0 port 22.
May 29 02:54:34 bladerunner sshd[7323]: Accepted publickey for root from 172.16.0.10 port 1158 ssh2

Comment 8 Robin Johnson 2006-05-28 18:19:32 UTC

joerg: comment out the tss entries in udev, to get your box booting first of all.
it's considered good practice to have everything needed for a basic boot in the default non-LDAP nss, so that broken LDAP does not break booting.

Could you include your /etc/openldap/ldap.conf, that shows your SSL setup?
Disable SSL for the moment, so we can debug this easier, and then re-add SSL at the end.

The fact that your ldap server doesn't return a result there for the anonymous query (unless you had a ~/.ldaprc), indicates that your anonymous is not set up correctly despite your claim to the contrary - as otherwise you'd have output similar to what chris posted that showed his user actually existing.

Comment 9 Robin Johnson 2006-05-28 18:50:26 UTC

on a lark, would both of you please test nss_ldap-250?

Robin : Sorry, but I don't understand, my english is so bad. And I'm sure this is not the place for me to learn how to configure ldap :-(
I could be helped only in french :-)
Really sorry.

Comment 11 Robin Johnson 2006-05-28 20:32:06 UTC

chris: not a problem, I was just wondering if you could try nss_ldap-250 for me, and see if it works.

Robin : I understood that, but I was talking about :
"Chris: from your ldapsearch output there, nss/pam_ldap should apply the
pam_filter, and reject that ldap entry (unless the objectClass just wasn't
shown)."

About 250, I'll try it tomorrow, because it isn't in my portage tree yet (mirror server with cron every 12h).

Comment 13 Robin Johnson 2006-05-28 21:08:47 UTC

Ah, for that one, you showed me this output:
# chris, People, novazur.fr
dn: uid=chris,ou=People,dc=novazur,dc=fr
uid: chris
cn: Christophe PEREZ
givenName: Christophe
sn: PEREZ

In your configuration, you have 'pam_filter objectclass=posixaccount'. Since objectClass posixAccount isn't in the output, that ldap entry (dn: uid=chris,ou=People,dc=novazur,dc=fr) shouldn't match.

Ah !
Maybe because I didn't give you all the output !?!

$ ldapsearch -b ou=People,dc=novazur,dc=fr -s one -h ldap.novazur.fr uid=chris
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=novazur,dc=fr> with scope one
# filter: uid=chris
# requesting: ALL
#

# chris, People, novazur.fr
dn: uid=chris,ou=People,dc=novazur,dc=fr
uid: chris
cn: Christophe PEREZ
givenName: Christophe
sn: PEREZ
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: XXXXXX
shadowLastChange: 12257
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 100
homeDirectory: /home/chris
gecos: Christophe PEREZ
mail: xxxxxxxxxxxx@xxxxxxxxx.xxx
mail: yyyyyyyyyyy@xxxxxxxx.xxx

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
-----------------------------------------------
Is it better now ?

Comment 15 Robin Johnson 2006-05-28 21:22:38 UTC

ah yes, that's more like it, no problems then.
I would however suggest looking at securing your ldap infrastructure some there, anonymous requests like that shouldn't get the password data.

I know that :-( but I never found someone who could explain me in french, so, I do my best...
Don't spend more time with me, ldap is really something too difficult for me.
Thanks for all your help.

Sorry,

I understood something wrong with the ldapsearch and thought 
it would only show the the number of results.

In my ldap.conf the scope is defined in another way:
nss_base_passwd         dc=paritaet-th,dc=de?sub
nss_base_shadow         dc=paritaet-th,dc=de?sub

So every of this search commands lead to the same result:
      ldapsearch -x -H ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock -b ou=Users,dc=jj,dc=local -s one uid=jj
      ldapsearch -x -H ldaps://bladerunner.jj.site/ -b ou=Users,dc=jj,dc=local -s one uid=jj
      ldapsearch -x -H ldap://bladerunner.jj.site/ -b ou=Users,dc=jj,dc=local -s one uid=jj
      ldapsearch -x -H ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock -b dc=jj,dc=local -s sub uid=jj
      ldapsearch -x -H ldaps://bladerunner.jj.site/ -b dc=jj,dc=local -s sub uid=jj
      ldapsearch -x -H ldap://bladerunner.jj.site/ -b dc=jj,dc=local -s sub uid=jj

Result:
      # extended LDIF
      #
      # LDAPv3
      # base <dc=jj,dc=local> with scope sub
      # filter: uid=jj
      # requesting: ALL
      #
      
      # jj, Users, jj.local
      dn: uid=jj,ou=Users,dc=jj,dc=local
      displayName: SMB User
      objectClass: top
      objectClass: account
      objectClass: posixAccount
      objectClass: sambaSamAccount
      uid: jj
      uidNumber: 1003
      cn: jj
      loginShell: /bin/bash
      gidNumber: 100
      gecos: SMB User
      description: SMB User
      homeDirectory: /smb/home/jj
      sambaSID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      sambaPrimaryGroupSID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      sambaLogonScript: jj.cmd
      sambaHomePath: \\bladerunner\homes
      sambaProfilePath: \\bladerunner\profiles\jj
      sambaLogonTime: 0
      sambaLogoffTime: 2147483647
      sambaKickoffTime: 2147483647
      sambaHomeDrive: W:
      sambaPwdCanChange: 1132104053
      sambaPasswordHistory: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      sambaAcctFlags: [U]
      sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      sambaPwdLastSet: XXXXXXXXXXX
      sambaPwdMustChange: XXXXXXXXXXXX
      userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      
      # search result
      search: 2
      result: 0 Success
      
      # numResponses: 2
      # numEntries: 1



I updated to nss_ldap-250 - still the same error
I commented out the tpm line with OWNER="tss", GROUP="tss" in udev - server still took a long time to boot and still the same error.
I update the scope in ldap.conf to:
      nss_base_passwd         ou=Users,dc=jj,dc=local?one
      nss_base_shadow         ou=Users,dc=jj,dc=local?one
      nss_base_group          ou=Groups,dc=jj,dc=local?one
   - still the same error

I downgraded to 239 - everything is OK.


Cheers JJ

emerge info
Portage 2.0.54-r2 (hardened/x86/2.6, gcc-3.4.5, glibc-2.3.6-r3, 2.6.14-hardened-r8 i686)
=================================================================
System uname: 2.6.14-hardened-r8 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
dev-python/pycrypto: [Not Present]
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -O3 -pipe -mno-tls-direct-seg-refs"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium3 -O3 -pipe -mno-tls-direct-seg-refs"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.easynet.nl/mirror/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://212.219.247.10/sites/www.ibiblio.org/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="aalib acl acpi apache2 berkdb bzip2 crypt cups dba dlloader examples expat fbcon gd gdbm glibc-compat20 gpm hardened hardenedphp hpn imap java jpeg ldap libwww mhash mmx mysql ncurses nls nptl pam pcre perl php pic png postgres python quotas readline samba sasl session slang slp snmp socks5 sse ssl svga tcpd truetype udev unicode winbind x86 xml2 zlib userland_GNU kernel_linux elibc_glibc"
Unset:  CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS

Comment 18 Robin Johnson 2006-05-29 13:21:51 UTC

Ok, so we're still stuck with why nss_ldap-249/250 doesn't connect to your LDAP server properly.

Could you please compile it with USE=debug CFLAGS="-ggdb -O1" emerge nss_ldap,
and look for the debugging output as to why the bind failed?

Comment 19 Robin Johnson 2006-05-31 12:02:24 UTC

Joerg: Would you please try 250 with any explict SSL lines disabled?

In bug 134966, a user noted that after disabling it, everything suddenly worked.

Hello everybody,

I had no time to test it until now.

I found one important part of the problem, but not all.

There must be no ssl line in ldap.conf
even when using ssl.
So
uri ldaps:// ....
works
without the 
ssl on 
line in ldap.conf


But i experience long booting times, as long as the ldap-server is not started.
Debug is saiing:
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: <== do_bind
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== do_open (failed to bind to DSA
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> do_open 
nss_ldap: ==> do_init
.....
and so on and so on (no copy and paste, it's handwriten form console output, because lines can not be found in log)

I added the line in nsswitch
passwd: ldap [NOTFOUND=return] files
shadow: ldap [NOTFOUND=return] files
group:  ldap [NOTFOUND=return] files

but this did not change anything.

Comment 21 Robin Johnson 2006-05-31 16:09:24 UTC

joerg:
the long boot times are a seperate issue.
See bug 99564, comment 44.

Could you please test using
uri ldap://...
ssl start_tls

That should give you TLS security.

It does not work with with
uri ldap://...
ssl start_tls
in nss_ldap-249
but it works with nss_ldap-239-r1

So what is the difference in SSL between 249 and 239-r1.


But even if I configured SSL wrong for 249. 
In my oppionion it is a major error, that nss_ldap-249 is 
retrying to connect soooooooo many times and the whole system 
hangs. Booting takes over 20 min (under 2 min is normal).
I once forgot to take out the ldap keyword in nsswitch.conf.
The shutdown process toke over 2 hours. Finally I pressed the reset
button because the magic sysreq keys did not work. My RAID1 crashed 
and the kernel had an kernel panic because of the crash. I had
to rebuild the RAID by hand.

What I wanted to say.
I spend hours and hours to debug. But did not come to an result
because booting and rebooting takes so much time.
So i decided to stay with 239 and what what will happen and I 
will not debug any more. It's to dangerous for my system and I don't have the time. Sorry.


LDAP - UDEV - BOOTING

I know there is the other bugreport. But the strange thing is
I only have the long booting times with nss_ldap-249 and nss_ldap-250

Comment 23 Robin Johnson 2006-06-07 13:05:57 UTC

The fact that you are seeing the timeout implies that you did not pay attencion to what upstream does. 

between 239 and 249 the timeout behavior was radically changed - so that the defaults now had every single lookup taking about 10 minutes if the server was not contactable.

Add this to your /etc/ldap.conf to work around some of the timeout issue:
nss_reconnect_tries 0
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 4

The real solution is still a work in progress as I noted in bug 99564, because of udev.

What I'm trying to nail down in this bug is what the SSL problems with nss_ldap-249 are.

Hello,

I tested it again. The nss_reconnect_* parameters really helped. 
Booting times is almost as short as booting with nss_ldap-239.

Some occurrence of messages like:
Jun  7 22:19:51 bladerunner mysqld: nss_ldap: reconnecting to LDAP server...
Jun  7 22:19:51 bladerunner mysqld: nss_ldap: reconnecting to LDAP server...
Jun  7 22:19:51 bladerunner mysqld: nss_ldap: could not search LDAP server - Server is unavailable
But they do not matter, because when slapd starts, everything is ok.

The "ssl tls_start" really fixed the Problem. I don''t know what 
was wrong the first time. To confirm the error i tested is with
"ssl on" and it really did not work.

Could you do me a favour and  explain the three nss_reconnect_* 
parameters. I could only find 28 entries about them in google 
and none of them explained them.

I think people involved in bug 99564 would be grateful too.

Cheers JJ


My working /etc/ldap.conf
base dc=jj,dc=local
uri ldap://bladerunner.jj.site/
nss_reconnect_tries 0
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 4
nss_base_passwd         ou=Users,dc=jj,dc=local?one
nss_base_shadow         ou=Users,dc=jj,dc=local?one
nss_base_group          ou=Groups,dc=jj,dc=local?one
pam_password md5
ssl start_tls

Comment 25 Robin Johnson 2006-06-14 18:45:48 UTC

250-r1 is in the tree now, with documentation of the timeouts and changed defaults (15 seconds instead 124 seconds).

The SSL problem persists, I'm looking at it.

Comment 26 Jakub Moc (RETIRED) 2006-08-08 07:59:40 UTC

*** Bug 143212 has been marked as a duplicate of this bug. ***