[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: could not hard reconnect to LDAP server - Server is unavailable



On Monday 02 June 2008 18:42:57 Gar Nelson wrote:
>
> I'm currently using openldap-2.2.13-8.el4_6.4 on RHEL 4 and for the most
> part, it appears to be working.

This of course has nothing to do with OpenLDAP itself ...

> I can use ldap to log in on another 
> machine, and on a different workstation, the Apache directory browser
> connects and browses (and edits) just fine.
>
> However, when watching /var/log/messages, all is not calm under the
> surface. A shortened snippet of the log is as follows;
>
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server...
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server...
> [...]
> May 30 14:57:46 ggw-s-bdc runuser: nss_ldap: could not hard reconnect to
> LDAP server - Server is unavailable
> May 30 14:57:46 ggw-s-bdc slaptest: sql_select option missing
> May 30 14:57:46 ggw-s-bdc slaptest: auxpropfunc error no mechanism
> available May 30 14:57:46 ggw-s-bdc runuser: config file testing succeeded
> May 30 14:57:46 ggw-s-bdc ldap: Checking configuration files for slapd:
> succeeded
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP
> server...
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP
> server...
> [...]
> May 30 14:59:46 ggw-s-bdc slapd[16932]: nss_ldap: could not hard
> reconnect to LDAP server - Server is unavailable
> May 30 14:59:46 ggw-s-bdc slapd[16932]: sql_select option missing
> May 30 14:59:46 ggw-s-bdc slapd[16932]: auxpropfunc error no mechanism
> available
> May 30 14:59:46 ggw-s-bdc ldap: slapd startup succeeded
>
> It takes around five minutes for ldap to come up waiting for all the
> bind timeouts.
>
> I've tried googling without success

What did you google? This is a well-known problem.

> , I've tried changing from host to 
> uri, and from the local 127 address to the machine's outside IP without
> success.

So you don't understand the problem yet ...

> SELinux is disabled.  IPTables is not running. nmap localhost reports
> port 389 is open, along with an nmap to it's outside ip address.

But this does not apply when slapd isn't running.

> I'm at 
> a loss as to how to get "nss-ldap" to bind.

Well, it can't bind when slapd isn't running. So, maybe you should rather be 
trying to get it to give up sooner. So, you could consider:
1)Switching to "bind_policy soft"
2)Dropping your "timelimit"  and "bind_timelimit" to reasonable values
3)Having more than one LDAP server, so a host which is supposed to be running 
slapd may be able to resolve users without it's own slapd running (so the 
details of the ldap user can be resolved, which are required for slapd to 
start as the ldap user).
4)Add the ldap user to the list of users in nss_initgroups_ignoreusers in 
your /etc/ldap.conf (however, IMHO, this just masks the real problem)

> ldap.conf is as follows;
> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
> #
> # PADL Software
> # http://www.padl.com
> #
>
> debug 256
> logdir /var/log/ldap.log
>
> #host 127.0.0.1
> base dc=ggw,dc=nws,dc=noaa
> uri ldap://127.0.0.1/
> #uri ldaps://127.0.0.1/
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
>
> binddn cn=Manager,dc=ggw,dc=nws,dc=noaa
> bindpw [correct ldap password]
>
> port 389
>
> timelimit 50
> bind_timelimit 50
> bind_policy hard
> idle_timelimit 3600
>
> pam_password exop
>
> nss_base_passwd         ou=People,dc=ggw,dc=nws,dc=noaa?one
> nss_base_passwd         ou=Computers,dc=ggw,dc=nws,dc=noaa?one
> nss_base_shadow         ou=People,dc=ggw,dc=nws,dc=noaa?one
> nss_base_group          ou=Groups,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_hosts         ou=Hosts,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_services      ou=Services,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_networks      ou=Networks,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_protocols     ou=Protocols,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_rpc           ou=Rpc,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_ethers        ou=Ethers,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_netmasks      ou=Networks,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_bootparams    ou=Ethers,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_aliases       ou=Aliases,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_netgroup      ou=Netgroup,dc=ggw,dc=nws,dc=noaa?one
>
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5