Re: ldap too many connections from clients? following ldap even for local accounts?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. 
...
I think I need to configure something such that the nsswitch.conf entry tells it to stop if it finds the 'files' entry and not proceed to the 'ldap' entry. I thought this would happen by default. 

At least for authentication, this behavior depends also on your PAM config.
You need to make sure that the auth and account stacks will succeed for local accounts (e.g., root) without asking pam_ldap. 
What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients?


MJD Shop Account wrote:
I'm having some odd ldap issues with connection or lack thereof to ldap server when nsswitch.conf and pam.d/system-auth are configured to used FDS ldap server.
I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host names. I've noticed these issues: 

    * If a machine is disconnected from the network, a login attempt
      as 'root' user (with local passwd file entry and password)
      fails.  The system appears to accept the password, but sits for
      maybe a minute, then dumps you back to the login prompt.  I've
      had to  boot off rescue CD and shell in to remove 'ldap' from
      the /etc/nsswitch.conf file to get around this in some instances.

      My relevant /etc/ldap.conf entries are:
      passwd:     files ldap
      shadow:     files
      group:      files ldap
      netgroup:   files ldap

    * I noticed that a anhy randomly chosen client has a few
      connections to the ldap server that persist.  The connections
      are tied to processes that also should have local entries only
      in the local /etc/passwd files.  Here's an example:
      # netstat -a | grep ldap
      tcp       38      0 clienthostname:32771 serverhostname:ldap
CLOSE_WAIT # fuser 32771/tcp 
      here: 32771
      32771/tcp:            3729
      # ps -ef | grep 3729 | grep -v grep
      ntp       3729     1  0 Feb23 ?        00:00:00 ntpd -u ntp:ntp
      -p /var/run/ntpd.pid -g
      #

    * I notice that doing a "netstat -a" on the server that most
      clients are using takes a long time.  It spits out a  bunch,
      then slows down when reporting the entries that are ESTABLISHED
      ldap connections:
      tcp        0      0 ldapserver:ldap ldapclient:35908 ESTABLISHED
      I see that some clients have very many connections, I would
      expect just one or two.  Here's one client that had a whole
      bunch, most disappeared before I could capture this bash shell
      command output.  This output is for jobs associated with ports
      connecting to ldap server:
      # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" "
      -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef |
      grep $j | grep -v grep; done; done
      xfs       2726     1  0 Feb20 ?        00:00:00 xfs -droppriv
      -daemon
      root      3138  3031  0 Feb20 ?        00:00:00
      /usr/bin/gdm-binary bell-style none
      root      3418  3138  0 18:32 ?        00:00:02 /usr/X11R6/bin/X
      :0 -auth /var/gdm/:0.Xauth vt7
      gdm       3430  3138  0 18:32 ?        00:00:00 /usr/bin/gdmgreeter
      root      2477  2617  0 18:22 ?        00:00:01 sshd: root@pts/0
      root      2481  2477  0 18:22 pts/0    00:00:00 -tcsh

      I ran a similar command on a client computer where the user is
      running a lot of jobs, I got 53 lines of output.  Basically
      every job is maintaining an ldap connection, I guess.

    * I think I need to configure something such that the
      nsswitch.conf entry tells it to stop if it finds the 'files'
      entry and not proceed to the 'ldap' entry.  I thought this would
      happen by default.

    * I think the above problem is possibly leading to many more ldap
      connections than are necessary which in turn may be causing
      performance issues on the server, ALTHOUGH the cpu load and
      memory load does not appear inordinately heavy

    * I tried running nscd (for caching the info) once, it seemed to
      cause too many problems so I turned it off.  I have tried
      something like implementing pam_ccache, I don't think it would
      help the too-many-connections, just the issue with no logins
      when off the net.

    * Here's my /etc/ldap.conf minus the usual comment lines, I'm
      doing anonymous binds.  Maybe there's some  keepalive flag that
      should be set or unset?:
      host server1 server2
      base dc=example,dc=com
      ldap_version 3
      scope sub
      bind_timelimit 10
      pam_lookup_policy yes
      pam_password exop
      nss_base_passwd         ou=People,dc=example,dc=com?one
      nss_base_group          ou=Group,dc=example,dc=com?one
      nss_base_services       ou=Services,dc=example,dc=com?one
      nss_base_aliases        ou=Aliases,dc=example,dc=com?one
      nss_base_netgroup       ou=Netgroup,dc=example,dc=com?one
      ssl start_tls
      tls_checkpeer yes
      tls_cacertfile /usr/share/ssl/certs/servercert.pem
      tls_ciphers TLSv1
      pam_password md5

Any suggestions on what I might be doing  wrong are greatly appreciated!

-Marty

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux