- Package:
- nslcd
- Source:
- nss-pam-ldapd
- Description:
- daemon for NSS and PAM lookups using LDAP
- Submitter:
- Jiri Kanicky
- Date:
- 2015-04-15 17:09:12 UTC
- Severity:
- important
Dear Maintainer, When I unplug notebook from my network, nslcd is not able to contact LDAP server and some task like "clicking on logout" takes long time and the following errors are reported. I believe that the nslcd is waiting for responce, and than the task can proceed, but it should not work like that. In Windows, I also do not wait for tasks when I work offline. ov 8 12:46:24 knightrider nslcd[2146]: [bb2b99] <passwd=10001> no available LDAP server found: Can't contact LDAP server Nov 8 12:46:24 knightrider nslcd[2146]: [e3dfe6] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [5b37f3] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [db7e02] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [7ec0c4] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [73bb22] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [9e1dd3] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:24 knightrider nslcd[2146]: [d141cc] <passwd=10001> no available LDAP server found: Server is unavailable Nov 8 12:46:46 knightrider nslcd[2146]: [f9357a] <passwd=-1> failed to bind to LDAP server ldap://maverick.allsupp.corp: Can't contact LDAP server: Connection timed out
If you want to support off-line operation you either have to have a local replica of the LDAP server of perform some caching with nscd (or something else). Currently nss-pam-ldapd does not implement caching. If the connection to your LDAP server is normally reliable, you could tune the timing settings to something like this: bind_timelimit 3 timelimit 3 reconnect_sleeptime 1 reconnect_retrytime 3 This ensures that unavailability of the LDAP server is recorded quickly. It is a bit strange that this query is retried so often because I would expect nscd to have cached the result. Thanks,
Hi. I use nscd for caching. I also noticed that if I am off-line, I am not able to fully login to my window manager (xfce4, kde4). The login part seems to finish successfully and I receive a message that I am using cached credentials, however the screen stays black after that. nslcd logs problems to find the LDAP again. If I stop the nslcd service, before the login, the windows manager comes up no problem. Something does not seems to work correctly with nslcd... Thank you for looking into this. Jiri
This is probably related to the earlier problem but output from nslcd -d during such a login would help. Could you also include /etc/nsswitch.conf and information about your PAM stack? Thanks,
Hi.
I also have got problem to unlock my screen. The following messages are
logged. It takes long time to unlock in (KDE) and I have to press the
unlock button several times.
Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil">
failed to bind to LDAP server ldap://maverick.allsupp.corp: Can't
contact LDAP server: Connection timed out
Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil"> no
available LDAP server found: Can't contact LDAP server
Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil">
"ganomil": user not found: Can't contact LDAP server
Nov 10 10:52:41 knightrider ccreds_chkpwd: Libgcrypt warning: missing
initialization - please fix the application
Nov 10 10:52:46 knightrider nslcd[2103]: [9478fe] <authc="ganomil"> no
available LDAP server found: Server is unavailable
Nov 10 10:52:46 knightrider nslcd[2103]: [9478fe] <authc="ganomil">
"ganomil": user not found: Server is unavailable
Nov 10 10:52:46 knightrider ccreds_chkpwd: Libgcrypt warning: missing
initialization - please fix the application
# cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# cat /etc/nscd.conf
#
# /etc/nscd.conf
#
# An example Name Service Cache config file. This file is needed by nscd.
#
# Legal entries are:
#
# logfile <file>
# debug-level <level>
# threads <initial #threads to use>
# max-threads <maximum #threads to use>
# server-user <user to run server as instead of root>
# server-user is ignored if nscd is started with -S parameters
# stat-user <user who is allowed to request statistics>
# reload-count unlimited|<number>
# paranoia <yes|no>
# restart-interval <time in seconds>
#
# enable-cache <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live <service> <time in seconds>
# suggested-size <service> <prime number>
# check-files <service> <yes|no>
# persistent <service> <yes|no>
# shared <service> <yes|no>
# max-db-size <service> <number bytes>
# auto-propagate <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#
# logfile /var/log/nscd.log
# threads 4
# max-threads 32
# server-user nobody
# stat-user somebody
debug-level 0
reload-count unlimited
paranoia no
# restart-interval 3600
enable-cache passwd yes
positive-time-to-live passwd 2592000
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 2592000
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
# hosts caching is broken with gethostby* calls, hence is now disabled
# per default. See /usr/share/doc/nscd/NEWS.Debian.
enable-cache hosts no
positive-time-to-live hosts 2592000
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
enable-cache services yes
positive-time-to-live services 2592000
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes
max-db-size services 33554432
Hi, Another good repro of the problem is that I login using cached credentials, open Konsole (in KDE) and type "su". There is waiting period of aprox. 5 seconds, then error. (does not even offer to type the password) ldapuser@knightrider:~$ su su: Cannot determine your user name. ov 18 15:51:12 knightrider nslcd[2095]: [c240fb] <passwd=-1> failed to bind to LDAP server ldap://maverick.allsupp.corp: Can't contact LDAP server: Connection timed out Nov 18 15:51:12 knightrider nslcd[2095]: [c240fb] <passwd=-1> no available LDAP server found: Can't contact LDAP server Nov 18 15:51:12 knightrider nslcd[2095]: [a026fa] <passwd="ganomil"> no available LDAP server found: Server is unavailable Nov 18 15:51:12 knightrider nslcd[2095]: [a1deaa] <passwd=10001> no available LDAP server found: Server is unavailable Doing it again proceeds correctly, but when I open new Konsole, the process is repeated. If I stop nslcd, then there is no problem. Regards, Jiri
known issues with interaction between the NSS module and nscd where the cache may end up being invalidated. It seems that if an NSS module returns a temporary error code instead of a permanent failure code nscd uses a cached value instead of reporting an error. That could explain some of the issues you're having. Some background on this issue can be found here: http://sources.redhat.com/bugzilla/show_bug.cgi?id=2132 I you are willing to test, I can provide a patch that make the NSS module return a different error code. Another thing is the delays. Since nslcd always tries to connect to the LDAP server several times on failures there will always be some delay. However, nslcd should fail rather quickly if connecting to the LDAP server failed before. You can tune the delay with the bind_timelimit, timelimit, reconnect_sleeptime and reconnect_retrytime options. Kind regards,
found 647978 0.9.4-3 found 640774 0.9.4-3 quit Hello, I am experiencing the issue of login failure with cached credentials, yet stopping nslcd no longer helps, rather I get this in /var/log/auth.log: Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory