[CALUG] Slapd starts up slowly

Joe Tseng joe_tseng at hotmail.com
Wed Mar 2 07:31:20 EST 2011


Someone else suggested I add "bind_policy soft" to /etc/ldap.conf; slapd 
started right up after that.  I guess that only papers over the problem with 
NSS but at least it makes slapd start up a whole lot faster.

:)

-----Original Message----- 
From: Bryan J Smith
Sent: Tuesday, March 01, 2011 9:04 PM
To: Joe Tseng ; calug at unknownlamer.org
Subject: Re: [CALUG] Slapd starts up slowly

I'm still curious how it worked before.  Can you send me your ldap.conf 
files
off-list?  I'm not entirely sure it's the same problem.

Also remember that if you upgrade to F14, not all of your add-ons may be
available for it.  But yes, sssd is much nicer than a lot of the legacy nss
stuff.



----- Original Message ----
From: Joe Tseng <joe_tseng at hotmail.com>
To: Bryan J Smith <b.j.smith at ieee.org>; calug at unknownlamer.org
Sent: Tue, March 1, 2011 8:18:20 PM
Subject: Re: [CALUG] Slapd starts up slowly

https://bugzilla.redhat.com/show_bug.cgi?id=553032

I think I will be migrating to F14 this weekend; that should eliminate this
problem.

-----Original Message----- From: Bryan J Smith
Sent: Tuesday, March 01, 2011 9:47 AM
To: Joe Tseng ; calug at unknownlamer.org
Subject: Re: [CALUG] Slapd starts up slowly

There it is ...

"nss_ldap: failed to bind to LDAP server"

Remember, /etc/ldap.conf is NSS (e.g., nss_ldap).
And /etc/openldap/ldap.conf is OpenLDAP.

For Fedora-based clients, you will need to have _both_ configured.  The main
Fedora client services (e.g., PAM, NSSwitch, etc...) use the NSS libraries, 
but
the OpenLDAP clients/tools may also connect to it as well.  So it may very 
well
be that the OpenLDAP server (slapd) is up'n running fine, but your system's 
NSS
libraries can't bind to it because /etc/ldap.conf isn't configured 
correctly.

I don't know how this "add-on" works.  Nominally for Fedora-based clients,
"system-config-authentication" is utilized.  It handles setting up most of 
this,
for both NSS and OpenLDAP clients.



----- Original Message ----
From: Joe Tseng <joe_tseng at hotmail.com>
To: Bryan J Smith <b.j.smith at ieee.org>; calug at unknownlamer.org
Sent: Mon, February 28, 2011 9:22:30 PM
Subject: RE: [CALUG] Slapd starts up slowly

I was mistaken earlier; I was looking at /etc/openldap/ldap.conf; I never
configured /etc/ldap.conf.  Regardless, updating that file made no
difference.

I did not have a log set up specifically to be generated by openldap.  I
went ahead and configured slapd to generate a log while running and
restarted the service, but no messages were generated for that file.  My
/var/log/messages looks like this:

$ sudo tail -f /var/log/messages
Feb 28 21:00:11 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:15 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:23 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:00:39 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:01:11 server0 slapd: nss_ldap: reconnecting to LDAP server
(sleeping 64 seconds)...
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd: nss_ldap: could not search LDAP server -
Server is unavailable
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a
directory)|0x20089|pictures
Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a
directory)|0x20089|pictures/porsche918
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server
(sleeping 64 seconds)...
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://hda.at.home: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: could not search LDAP server
- Server is unavailable


I stopped the log when slapd was up and running:


$ sudo service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
$ sudo service slapd status
slapd (pid  5726) is running...

$ ps -ef | grep slapd
ldap      5726     1  0 21:04 ?        00:00:00 /usr/sbin/slapd -h  ldap:///
-u ldap
jtseng    5756  5501  0 21:05 pts/2    00:00:00 grep slapd


My includes for slapd are as follows:

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/autofs.schema
include         /etc/openldap/schema/ldapns.schema

I imagine I won't need all of those but aside from core, inetorgperson,
openldap, samba, autofs and ldapns I wouldn't know what I can discard.





More information about the CALUG mailing list