[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: could not hard reconnect to LDAP server - Server is unavailable
On Monday 02 June 2008 18:42:57 Gar Nelson wrote:
>
> I'm currently using openldap-2.2.13-8.el4_6.4 on RHEL 4 and for the most
> part, it appears to be working.
This of course has nothing to do with OpenLDAP itself ...
> I can use ldap to log in on another
> machine, and on a different workstation, the Apache directory browser
> connects and browses (and edits) just fine.
>
> However, when watching /var/log/messages, all is not calm under the
> surface. A shortened snippet of the log is as follows;
>
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server...
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:55:46 ggw-s-bdc runuser: nss_ldap: reconnecting to LDAP server...
> [...]
> May 30 14:57:46 ggw-s-bdc runuser: nss_ldap: could not hard reconnect to
> LDAP server - Server is unavailable
> May 30 14:57:46 ggw-s-bdc slaptest: sql_select option missing
> May 30 14:57:46 ggw-s-bdc slaptest: auxpropfunc error no mechanism
> available May 30 14:57:46 ggw-s-bdc runuser: config file testing succeeded
> May 30 14:57:46 ggw-s-bdc ldap: Checking configuration files for slapd:
> succeeded
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP
> server...
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server
> May 30 14:57:46 ggw-s-bdc slapd[16932]: nss_ldap: reconnecting to LDAP
> server...
> [...]
> May 30 14:59:46 ggw-s-bdc slapd[16932]: nss_ldap: could not hard
> reconnect to LDAP server - Server is unavailable
> May 30 14:59:46 ggw-s-bdc slapd[16932]: sql_select option missing
> May 30 14:59:46 ggw-s-bdc slapd[16932]: auxpropfunc error no mechanism
> available
> May 30 14:59:46 ggw-s-bdc ldap: slapd startup succeeded
>
> It takes around five minutes for ldap to come up waiting for all the
> bind timeouts.
>
> I've tried googling without success
What did you google? This is a well-known problem.
> , I've tried changing from host to
> uri, and from the local 127 address to the machine's outside IP without
> success.
So you don't understand the problem yet ...
> SELinux is disabled. IPTables is not running. nmap localhost reports
> port 389 is open, along with an nmap to it's outside ip address.
But this does not apply when slapd isn't running.
> I'm at
> a loss as to how to get "nss-ldap" to bind.
Well, it can't bind when slapd isn't running. So, maybe you should rather be
trying to get it to give up sooner. So, you could consider:
1)Switching to "bind_policy soft"
2)Dropping your "timelimit" and "bind_timelimit" to reasonable values
3)Having more than one LDAP server, so a host which is supposed to be running
slapd may be able to resolve users without it's own slapd running (so the
details of the ldap user can be resolved, which are required for slapd to
start as the ldap user).
4)Add the ldap user to the list of users in nss_initgroups_ignoreusers in
your /etc/ldap.conf (however, IMHO, this just masks the real problem)
> ldap.conf is as follows;
> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
> #
> # PADL Software
> # http://www.padl.com
> #
>
> debug 256
> logdir /var/log/ldap.log
>
> #host 127.0.0.1
> base dc=ggw,dc=nws,dc=noaa
> uri ldap://127.0.0.1/
> #uri ldaps://127.0.0.1/
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
>
> binddn cn=Manager,dc=ggw,dc=nws,dc=noaa
> bindpw [correct ldap password]
>
> port 389
>
> timelimit 50
> bind_timelimit 50
> bind_policy hard
> idle_timelimit 3600
>
> pam_password exop
>
> nss_base_passwd ou=People,dc=ggw,dc=nws,dc=noaa?one
> nss_base_passwd ou=Computers,dc=ggw,dc=nws,dc=noaa?one
> nss_base_shadow ou=People,dc=ggw,dc=nws,dc=noaa?one
> nss_base_group ou=Groups,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_hosts ou=Hosts,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_services ou=Services,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_networks ou=Networks,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_protocols ou=Protocols,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_rpc ou=Rpc,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_ethers ou=Ethers,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_netmasks ou=Networks,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_bootparams ou=Ethers,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_aliases ou=Aliases,dc=ggw,dc=nws,dc=noaa?one
> #nss_base_netgroup ou=Netgroup,dc=ggw,dc=nws,dc=noaa?one
>
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5