[CALUG] Slapd starts up slowly

Joe Tseng joe_tseng at hotmail.com
Mon Feb 28 21:22:30 EST 2011 

I was mistaken earlier; I was looking at /etc/openldap/ldap.conf; I never
configured /etc/ldap.conf.  Regardless, updating that file made no
difference.

I did not have a log set up specifically to be generated by openldap.  I
went ahead and configured slapd to generate a log while running and
restarted the service, but no messages were generated for that file.  My
/var/log/messages looks like this:

$ sudo tail -f /var/log/messages 
Feb 28 21:00:11 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 64 seconds)...
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: could not search LDAP server -
Server is unavailable
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a
directory)|0x20089|pictures
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a
directory)|0x20089|pictures/porsche918
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 64 seconds)...
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: could not search LDAP server
- Server is unavailable


I stopped the log when slapd was up and running:


$ sudo service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
$ sudo service slapd status
slapd (pid  5726) is running...

$ ps -ef | grep slapd
ldap      5726     1  0 21:04 ?        00:00:00 /usr/sbin/slapd -h  ldap:///
-u ldap
jtseng    5756  5501  0 21:05 pts/2    00:00:00 grep slapd


My includes for slapd are as follows:

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/autofs.schema
include         /etc/openldap/schema/ldapns.schema

I imagine I won't need all of those but aside from core, inetorgperson,
openldap, samba, autofs and ldapns I wouldn't know what I can discard.


 - Joe

 

-----Original Message-----
From: Bryan J Smith [mailto:b.j.smith at ieee.org] 
Sent: Monday, February 28, 2011 8:45 AM
To: Joe Tseng; calug at unknownlamer.org
Subject: Re: [CALUG] Slapd starts up slowly

Couple of things ...

A)  /etc/ldap.conf is not OpenLDAP.  It's the Red Hat LDAP/NSS system[1],
and base OS client setup.  /etc/openldap/ldap.conf is for OpenLDAP clients.
It's not the OpenLDAP server configuration.  However, it is still used for
the base OS' authentication and object lookup, and Red Hat also still
provides the OpenLDAP clients as well (so both /etc/ldap.conf and
/etc/openldap/ldap.conf should be configured).

B)  If your /etc/ldap.conf changed, then what was updated?  How was it
updated?  
Is it still 644 permissions?  If SELinux is enforcing, are the contexts
correct?  Use "ls -Zail" to see them, or just "restorecon /etc/ldap.conf" to
restore them.

C)  Even if your DB is small, the schema can take a bit to load.  OpenLDAP
often has to chug through various schema files.  If permissions or SELinux
contexts have changed on those files, then there might be issues, timeouts
and other things that are causing the delays.

D)  What is in /var/log/openldap.log?  Messages often won't show OpenLDAP
details, other than the service being stopped/started, or critical/emergency
messages (maybe warnings) during such.  The openldap.log file will likely
show lower facility messages as well.  Compare to when it worked.

NOTES:

[1] Netscape Security Services.  Red Hat purchased the iPlanet software
(directory server, certificate server, various client components, etc...)
many years ago.  iPlanet is the original, commercial LDAP product much like
Navigator was the original web browser, Netscape hired away the original
Michigan LDAP developers just like they did the original Illinois Mosaic
developers.  The product then blossomed into the iPlanet line much like the
browser did the Communicator line.  Red Hat released it as open source (GPL
and MPL where
required) in, now, Port 389 server ( http://directory.fedoraproject.org/ )
and a sister project that is AD-like (in NTuser object schema, required used
of Kerberos, etc...) in FreeIPA ( http://www.freeipa.org ).

-- Bryan

P.S.  What about "EL6" (e.g., rebuilds like CentOS 6, when it is released)?
It 
is based on a late Fedora release, unlike "EL5" (which is based on old
Fedora 
Core 6).  It should have the required Ruby on Rails version, especially if
it 
works on Fedora 12 (which "EL6" is largely based on, with some Fedora 13 
additives).
 


----- Original Message ----
From: Joe Tseng <joe_tseng at hotmail.com>
To: Bryan J Smith <b.j.smith at ieee.org>; calug at unknownlamer.org

Amahi for F14 will be released sometime this week; I am definitely planning
on doing that upgrade.  They said they did not consider releasing for CentOS
5.x due to their platform dependencies for Ruby on Rails.

As for the size of my database/schema it shouldn't be very large as it
currently is me, the wife and son and three workstation nodes.  What I don't
understand is it JUST started behaving like this, and I haven't really added
anything new to LDAP once it was up and running.

I also noticed I had to redo my /etc/ldap.conf; it was replaced by some
default file.  Although I restored to what it was previously it made no
difference in speed.

More information about the CALUG mailing list