#647978 nslcd slows down everything when I unplug my notebook from network

Package:
nslcd
Source:
nss-pam-ldapd
Description:
daemon for NSS and PAM lookups using LDAP
Submitter:
Jiri Kanicky
Date:
2015-04-15 17:09:12 UTC
Severity:
important
#647978#5
Date:
2011-11-08 02:06:45 UTC
From:
To:
Dear Maintainer,

When I unplug notebook from my network, nslcd is not able to contact LDAP
server and some task like "clicking on logout" takes long time and the
following errors are reported.
I believe that the nslcd is waiting for responce, and than the task can
proceed, but it should not work like that. In Windows, I also do not wait for
tasks when I work offline.

ov  8 12:46:24 knightrider nslcd[2146]: [bb2b99] <passwd=10001> no available
LDAP server found: Can't contact LDAP server
Nov  8 12:46:24 knightrider nslcd[2146]: [e3dfe6] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [5b37f3] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [db7e02] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [7ec0c4] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [73bb22] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [9e1dd3] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:24 knightrider nslcd[2146]: [d141cc] <passwd=10001> no available
LDAP server found: Server is unavailable
Nov  8 12:46:46 knightrider nslcd[2146]: [f9357a] <passwd=-1> failed to bind to
LDAP server ldap://maverick.allsupp.corp: Can't contact LDAP server: Connection
timed out

#647978#10
Date:
2011-11-08 22:08:05 UTC
From:
To:
If you want to support off-line operation you either have to have a
local replica of the LDAP server of perform some caching with nscd (or
something else). Currently nss-pam-ldapd does not implement caching.

If the connection to your LDAP server is normally reliable, you could
tune the timing settings to something like this:

bind_timelimit 3
timelimit 3
reconnect_sleeptime 1
reconnect_retrytime 3

This ensures that unavailability of the LDAP server is recorded quickly.

It is a bit strange that this query is retried so often because I would
expect nscd to have cached the result.

Thanks,

#647978#15
Date:
2011-11-08 23:47:43 UTC
From:
To:
Hi.

I use nscd for caching.

I also noticed that if I am off-line, I am not able to fully login to my
window manager (xfce4, kde4). The login part seems to finish
successfully and I receive a message that I am using cached credentials,
however the screen stays black after that. nslcd logs problems to find
the LDAP again. If I stop the nslcd service, before the login, the
windows manager comes up no problem.

Something does not seems to work correctly with nslcd...

Thank you for looking into this.

Jiri

#647978#20
Date:
2011-11-09 19:46:29 UTC
From:
To:
This is probably related to the earlier problem but output from nslcd -d
during such a login would help.

Could you also include /etc/nsswitch.conf and information about your PAM
stack?

Thanks,

#647978#25
Date:
2011-11-09 23:59:17 UTC
From:
To:
Hi.

I also have got problem to unlock my screen. The following messages are
logged. It takes long time to unlock in (KDE) and I have to press the
unlock button several times.

Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil">
failed to bind to LDAP server ldap://maverick.allsupp.corp: Can't
contact LDAP server: Connection timed out
Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil"> no
available LDAP server found: Can't contact LDAP server
Nov 10 10:52:41 knightrider nslcd[2103]: [4a481a] <authc="ganomil">
"ganomil": user not found: Can't contact LDAP server
Nov 10 10:52:41 knightrider ccreds_chkpwd: Libgcrypt warning: missing
initialization - please fix the application
Nov 10 10:52:46 knightrider nslcd[2103]: [9478fe] <authc="ganomil"> no
available LDAP server found: Server is unavailable
Nov 10 10:52:46 knightrider nslcd[2103]: [9478fe] <authc="ganomil">
"ganomil": user not found: Server is unavailable
Nov 10 10:52:46 knightrider ccreds_chkpwd: Libgcrypt warning: missing
initialization - please fix the application


# cat /etc/nsswitch.conf
   passwd:         files ldap
   group:          files ldap
   shadow:         files ldap

   hosts:          files dns ldap
   networks:       files

   protocols:      db files
   services:       db files
   ethers:         db files
   rpc:            db files

# cat /etc/nscd.conf
#
# /etc/nscd.conf
#
# An example Name Service Cache config file.  This file is needed by nscd.
#
# Legal entries are:
#
#       logfile <file>
#       debug-level <level>
#       threads <initial #threads to use>
#       max-threads <maximum #threads to use>
#       server-user <user to run server as instead of root>
#               server-user is ignored if nscd is started with -S parameters
#       stat-user <user who is allowed to request statistics>
#       reload-count            unlimited|<number>
#       paranoia <yes|no>
#       restart-interval <time in seconds>
#
#       enable-cache <service> <yes|no>
#       positive-time-to-live <service> <time in seconds>
#       negative-time-to-live <service> <time in seconds>
#       suggested-size <service> <prime number>
#       check-files <service> <yes|no>
#       persistent <service> <yes|no>
#       shared <service> <yes|no>
#       max-db-size <service> <number bytes>
#       auto-propagate <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#


#       logfile                 /var/log/nscd.log
#       threads                 4
#       max-threads             32
#       server-user             nobody
#       stat-user               somebody
         debug-level             0
         reload-count            unlimited
         paranoia                no
#       restart-interval        3600

         enable-cache            passwd          yes
         positive-time-to-live   passwd          2592000
         negative-time-to-live   passwd          20
         suggested-size          passwd          211
         check-files             passwd          yes
         persistent              passwd          yes
         shared                  passwd          yes
         max-db-size             passwd          33554432
         auto-propagate          passwd          yes

         enable-cache            group           yes
         positive-time-to-live   group           2592000
         negative-time-to-live   group           60
         suggested-size          group           211
         check-files             group           yes
         persistent              group           yes
         shared                  group           yes
         max-db-size             group           33554432
         auto-propagate          group           yes

# hosts caching is broken with gethostby* calls, hence is now disabled
# per default.  See /usr/share/doc/nscd/NEWS.Debian.
         enable-cache            hosts           no
         positive-time-to-live   hosts           2592000
         negative-time-to-live   hosts           20
         suggested-size          hosts           211
         check-files             hosts           yes
         persistent              hosts           yes
         shared                  hosts           yes
         max-db-size             hosts           33554432

         enable-cache            services        yes
         positive-time-to-live   services        2592000
         negative-time-to-live   services        20
         suggested-size          services        211
         check-files             services        yes
         persistent              services        yes
         shared                  services        yes
         max-db-size             services        33554432

#647978#30
Date:
2011-11-18 04:55:52 UTC
From:
To:
Hi,

Another good repro of the problem is that I login using cached
credentials, open Konsole (in KDE) and type "su". There is waiting
period of aprox. 5 seconds, then error. (does not even offer to type the
password)

ldapuser@knightrider:~$ su
su: Cannot determine your user name.

ov 18 15:51:12 knightrider nslcd[2095]: [c240fb] <passwd=-1> failed to
bind to LDAP server ldap://maverick.allsupp.corp: Can't contact LDAP
server: Connection timed out
Nov 18 15:51:12 knightrider nslcd[2095]: [c240fb] <passwd=-1> no
available LDAP server found: Can't contact LDAP server
Nov 18 15:51:12 knightrider nslcd[2095]: [a026fa] <passwd="ganomil"> no
available LDAP server found: Server is unavailable
Nov 18 15:51:12 knightrider nslcd[2095]: [a1deaa] <passwd=10001> no
available LDAP server found: Server is unavailable

Doing it again proceeds correctly, but when I open new Konsole, the
process is repeated.

If I stop nslcd, then there is no problem.

Regards,
Jiri

#647978#35
Date:
2011-12-30 21:46:58 UTC
From:
To:
known issues with interaction between the NSS module and nscd where the
cache may end up being invalidated. It seems that if an NSS module
returns a temporary error code instead of a permanent failure code nscd
uses a cached value instead of reporting an error. That could explain
some of the issues you're having.

Some background on this issue can be found here:
http://sources.redhat.com/bugzilla/show_bug.cgi?id=2132
I you are willing to test, I can provide a patch that make the NSS
module return a different error code.

Another thing is the delays. Since nslcd always tries to connect to the
LDAP server several times on failures there will always be some delay.
However, nslcd should fail rather quickly if connecting to the LDAP
server failed before. You can tune the delay with the bind_timelimit,
timelimit, reconnect_sleeptime and reconnect_retrytime options.

Kind regards,

#647978#42
Date:
2015-04-15 17:07:04 UTC
From:
To:
found 647978 0.9.4-3
found 640774 0.9.4-3
quit

Hello,

  I am experiencing the issue of login failure with cached credentials,
  yet stopping nslcd no longer helps, rather I get this in
  /var/log/auth.log:
Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory