Your message dated Fri, 24 Sep 2010 07:47:08 +0000
with message-id <[email protected]>
and subject line Bug#596983: fixed in nss-pam-ldapd 0.7.10
has caused the Debian Bug report #596983,
regarding libnss-ldapd: Fallback to secondary ldap server does not work as
expected
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
596983: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=596983
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss-ldapd
Version: 0.6.7.2
Severity: important
Hi,
i wanted to replace my libnss-ldap setup by libnss-ldapd. At first sight it
seems to work like a charm.
Response times were even without nscd much better than before, but fallback to
secondary ldap server does not work as expected.
If i block all request on the first ldap server by iptables i always get a
timeout from nscld:
nslcd: [b127f8] ldap_result() timed out
It never reconnects to the other server. I tried all posibities of changing
timeout values in /etc/nss-ldapd.conf. I changed ssl on and off ...
My last (and stupid) try was up to:
threads 1
bind_timelimit 1
timelimit 1
idle_timelimit 10
In netstat output i see many ESTABLISHED an CLOSE_WAIT connections to the (not
reachable) ldap server.
The only way to connect to the second ldap server is killing and restarting
nslcd (in my test scenario ldap2 is indeed the first server to ask):
pkill -9 nslcd
nslcd -d
nslcd: DEBUG: add_uri(ldap://ldap2.xxxxxxxxxx/)
nslcd: DEBUG: add_uri(ldap://ldap1.xxxxxxxxxx/)
nslcd: version 0.6.7 starting
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(110) done
nslcd: DEBUG: setuid(106) done
nslcd: accepting connections
nslcd: [b0dc51] DEBUG: connection from pid=16207 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_group_bygid(1111)
nslcd: [b0dc51] DEBUG: myldap_search(base="xxxxxx",
filter="(&(objectClass=posixGroup)(gidNumber=1111))")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
In this case, the first lookup takes bind_timelimit to succeed and susequent
queries go automatically to the fallback server.
But this is definitly not satisfying. If i use libnss-ldap like before on the
same machine everything works as expected.
So my conclusion is, that nslcd seems to connect to the first ldap server and
tries to keep this connection forever. I also waited some minutes and nothing
changed. Even if i restart the network interface locally it does not try to
connect to the second server.
The only way to use the fallback server is to restart nslcd.
If you need more information or if i could do some more testing let me know.
Regards,
matthias
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldapd depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18lenny4 GNU C Library: Shared libraries
ii libkrb53 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1+lenny2 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
Versions of packages libnss-ldapd recommends:
ii libpam-ldap 184-4.2 Pluggable Authentication Module fo
ii nscd 2.7-18lenny4 GNU C Library: Name Service Cache
libnss-ldapd suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.7.10
We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:
libnss-ldapd_0.7.10_i386.deb
to main/n/nss-pam-ldapd/libnss-ldapd_0.7.10_i386.deb
libpam-ldapd_0.7.10_i386.deb
to main/n/nss-pam-ldapd/libpam-ldapd_0.7.10_i386.deb
nslcd_0.7.10_i386.deb
to main/n/nss-pam-ldapd/nslcd_0.7.10_i386.deb
nss-pam-ldapd_0.7.10.dsc
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.7.10.dsc
nss-pam-ldapd_0.7.10.tar.gz
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.7.10.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-pam-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 24 Sep 2010 09:00:00 +0200
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.7.10
Distribution: unstable
Urgency: low
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
libpam-ldapd - PAM module for using LDAP as an authentication service
nslcd - Daemon for NSS and PAM lookups using LDAP
Closes: 596983
Changes:
nss-pam-ldapd (0.7.10) unstable; urgency=low
.
* handle errors from ldap_result() better and disconnect (and reconnect)
in more cases (closes: #596983)
Checksums-Sha1:
86abbd049496f5af0c93b0b8a05937aede895ce7 1106 nss-pam-ldapd_0.7.10.dsc
ab0bd5315b516ec3579f2c086606cf74df6e3c54 478118 nss-pam-ldapd_0.7.10.tar.gz
2965544f1308988e557525123be0cd2c26c4f42e 123168 nslcd_0.7.10_i386.deb
7e4769029219902fbbfda0b06aa5f5dd78b7bd98 43492 libnss-ldapd_0.7.10_i386.deb
23f60d2a32b5b1d4aaa6c0e74293b3b0280fb292 36176 libpam-ldapd_0.7.10_i386.deb
Checksums-Sha256:
a982254a1a0d876a516f5df956d0d36d4bdc6f56e59d818223d2f2a085b67cd1 1106
nss-pam-ldapd_0.7.10.dsc
63cb988196cedee7be30aa01034fcbdea17604a03184597a634eb9387622a486 478118
nss-pam-ldapd_0.7.10.tar.gz
b0f482633b29414b1e334e2bdb0bf962ffe4e11332bf21579e5bedd975d9060d 123168
nslcd_0.7.10_i386.deb
b0e24a6935eb648671f9270158ee17a4b66663b22fef50c85b92befd53d4bd7c 43492
libnss-ldapd_0.7.10_i386.deb
20d5c8c7088d1c86425b63096a7de56acc64495194cc7f1f7edf1365389e8653 36176
libpam-ldapd_0.7.10_i386.deb
Files:
05184f3049dd6bad5cec28397a88f34d 1106 admin extra nss-pam-ldapd_0.7.10.dsc
d01c3313712aae7471f22bc7922d892a 478118 admin extra nss-pam-ldapd_0.7.10.tar.gz
480edd750d43dc02dcf8050fc9879fd3 123168 admin extra nslcd_0.7.10_i386.deb
f1096ff6aadd35cfa8c8258d957f1716 43492 admin extra libnss-ldapd_0.7.10_i386.deb
9697b49a775111865a6d2d586479dbe2 36176 admin extra libpam-ldapd_0.7.10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkycUsYACgkQVYan35+NCKfFsQCguI3YZdOUDuEe3IPk+BIegNmB
Vq4AoKUyRxTd4uNBL5v8OnXzPAbna6L0
=2SyO
-----END PGP SIGNATURE-----
--- End Message ---
