Hi Prashanth, I have not seen similar issues but I would suggest adding a debug entry in PAM setup. This gives a lot of extra information. Also since you are debugging disable log caching to enable you to see bind attempts immediately dn: cn=config changetype: modify replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: off There is various other logging options which you can easily enable on the 389-console to increase decrease logging for specific actions. Regards > -----Original Message----- > From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users- > bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Prashanth Sundaram > Sent: 15 September 2010 16:27 > To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx > Subject: [389-users] Debug PTA and PAM-PTA stack for ldap timeout > > Hello, > > We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A > user is unable to ssh to random hosts at random times. > > Terminal Error: Permission denied (publickey,gssapi-with-mic,password) > secure logs: pam_ldap: ldap_result Timed out > Failed password for psundaram from 10.1.0.120 port 22039 > ssh2 > > > Sifting thru logs tell the user's password was successfully > authenticated upstream by looking at dirsrv access log with err=0. The > clients connecting to slave incur regular timeouts and the login fails > but it is not case with clients connecting to Master directly. > > Setup: Two Masters with MMR, Two Slaves with MMR. The authentication > for > clients connecting to the slave ldap server goes to the master via PTA > plugin and then from Master it goes to Windows AD via PAM-PTA. > > Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all > passwords are) > > I understand we have might have a long traversal for the > authentication, > but we have set considerably high timeout limits. > > /etc/ldap.conf > timelimit 120 > bind_timelimit 5 > bind_policy hard > idle_timelimit 3600 > > slave ldap server > nsslapd-idletimeout: 86400 > nsbindtimeout: 15 > nsslapd-timelimit: 3600 > > Master ldap server > nsslapd-idletimeout: 7200 > nsbindtimeout: 15 > nsslapd-timelimit: 3600 > > > Anybody had similar issue or can share some debugging tips? > > -Prashanth > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
