Samba and ldap troubles.

Scott J. Henson scotth at csee.wvu.edu
Fri Sep 2 13:54:09 CDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Farris wrote:
> On Fri, 2005-09-02 at 13:45 -0400, Scott J. Henson wrote:
> 
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Yes, this sounds like libnss-ldap being crappy.  It happens whenever
>>libnss cannot contact the ldap server.  I would suggest not using
>>libnss-ldap on your ldap servers.  It would seem to me that there may be
>>a race in there somewhere or a dead lock.  Remove libnss-ldap from the
>>ldap servers and I think your problems should be resolved.
>>
>>This should have nothing to do with the backend of choice.  Its all
>>about slapd using some libc function that somehow accesses nss, which
>>then must poll ldap, but the ldap server is waiting on its original
>>request to be fulfilled, which causes the lock.  I'm not positive that
>>this is what is happening, but it seems logical.  Possibly you could use
>>nscd to reduce the frequency of the locks, but I would think it would
>>just delay the inevitable.
> 
> 
> I'm wondering if the bind_policy and bind_timelimit would help here.
> Also this may not per say be a development issue so I suppose I should
> move this discussion off the devel list, however, if libnss-ldap is
> having this problem due to possibly a libc issue and yes now that you
> mention it I did see that in the debug log, would not pam_ldap also
> experience that same thing?
> 
> 
pam_ldap seems a bit more robust.  If it can't contact the ldap servers
it just fails authentication.  Its kinda hard to seperate the two
because when libnss-ldap can't contact ldap, then nothing works, but
from my experience, pam_ldap is better about things.  Probably because
it doesn't hook into libc.

Also, Ive never really messed with bind_policy, so that might do
something, not entirely sure though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDGJ/Qr2exNrjonJARApxbAJ9AACMaaoaH+zsobS7796abN71U5gCfVAoy
oVF5vmgPgdSftd7QQOg9CU0=
=bfMK
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list