CentOS - Feb 2008 - nss_ldap failed to bind to LDAP server 127.0.0.1

Hi All:

Over the weekend I install all the outstanding updates for our
CentOS 4 based server. Since I had been holding off on these until
I had addressed some disk space issues there were a large number
(300+). I know my bad! After installing the updates I rebooted the
system and it took forever to boot and once up there were problems
connecting to some of our SAMBA shares. I checked the messages log
file and found a multitude of entries similar to:

  Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: failed to bind to
  LDAP server 127.0.0.1: Can't contact LDAP server
  Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: reconnecting to
  LDAP server...

These were being reported for named, nscd, smbd, statd, rquotad, etc.

I did some google searching and found some references to the change of
the default value for the "bind_policy" parameter in the
"ldap.conf"
file from "soft" to "hard". I added and explicit
"bind_policy soft" to
the "/etc/ldap.conf" file and that has improved things dramatically.

However the errors are still being reported in the messages log file.
The errors are valid as we do not have and LDAP server (on my list 
for a future project). What I am trying to figure out is why it is
looking for one. I have done some additional google searching but I
have not found any definitive answers. From what I have seen I suspect
that the problem lays with our /etc/nsswitch.conf file and that I 
need to change references to "file ldap" to just "files".

I am loath to make such changes without something more definite then
my personal suspicion. Can someone confirm that I am on the right track
or, if not, point me in the right direction?

TIA

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com

On Tue, 2008-02-19 at 14:09 -0800, Hugh E Cruickshank
wrote:
> Hi All:
> 
> Over the weekend I install all the outstanding updates for our
> CentOS 4 based server. Since I had been holding off on these until
> I had addressed some disk space issues there were a large number
> (300+). I know my bad! After installing the updates I rebooted the
> system and it took forever to boot and once up there were problems
> connecting to some of our SAMBA shares. I checked the messages log
> <snip>
Did you remember to "updatedb" and then "locate rpmsave" or
"locate
rpmnew"? There are likely to be many that you need to compare and
update.
> TIA
> 
> Regards, Hugh
> 
HTH
-- 
Bill

On Tue, 2008-02-19 at 14:09 -0800, Hugh E Cruickshank
wrote:
> Hi All:
> 
> Over the weekend I install all the outstanding updates for our
> CentOS 4 based server. Since I had been holding off on these until
> I had addressed some disk space issues there were a large number
> (300+). I know my bad! After installing the updates I rebooted the
> system and it took forever to boot and once up there were problems
> connecting to some of our SAMBA shares. I checked the messages log
> file and found a multitude of entries similar to:
> 
>   Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: failed to bind to
>   LDAP server 127.0.0.1: Can't contact LDAP server
>   Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: reconnecting to
>   LDAP server...
> 
> These were being reported for named, nscd, smbd, statd, rquotad, etc.
> 
> I did some google searching and found some references to the change of
> the default value for the "bind_policy" parameter in the
"ldap.conf"
> file from "soft" to "hard". I added and explicit
"bind_policy soft" to
> the "/etc/ldap.conf" file and that has improved things
dramatically.
> 
> However the errors are still being reported in the messages log file.
> The errors are valid as we do not have and LDAP server (on my list 
> for a future project). What I am trying to figure out is why it is
> looking for one. I have done some additional google searching but I
> have not found any definitive answers. From what I have seen I suspect
> that the problem lays with our /etc/nsswitch.conf file and that I 
> need to change references to "file ldap" to just
"files".
> 
> I am loath to make such changes without something more definite then
> my personal suspicion. Can someone confirm that I am on the right track
> or, if not, point me in the right direction?
----
I have to use these in CentOS 5.x

tail -n 4 /etc/ldap.conf
timelimit 30
bind_timelimit 30
bind_policy soft
nss_initgroups_ignoreusers root,ldap

I don't know about quotad, nscd (I haven't been using them)

You shouldn't need to add anything for smbd, statd at all

Craig

on 2/19/2008 2:09 PM Hugh E Cruickshank spake the
following:
> Hi All:
> 
> Over the weekend I install all the outstanding updates for our
> CentOS 4 based server. Since I had been holding off on these until
> I had addressed some disk space issues there were a large number
> (300+). I know my bad! After installing the updates I rebooted the
> system and it took forever to boot and once up there were problems
> connecting to some of our SAMBA shares. I checked the messages log
> file and found a multitude of entries similar to:
> 
>   Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: failed to bind to
>   LDAP server 127.0.0.1: Can't contact LDAP server
>   Feb 17 19:46:18 fisds0 named[23187]: nss_ldap: reconnecting to
>   LDAP server...
> 
> These were being reported for named, nscd, smbd, statd, rquotad, etc.
> 
> I did some google searching and found some references to the change of
> the default value for the "bind_policy" parameter in the
"ldap.conf"
> file from "soft" to "hard". I added and explicit
"bind_policy soft" to
> the "/etc/ldap.conf" file and that has improved things
dramatically.
> 
> However the errors are still being reported in the messages log file.
> The errors are valid as we do not have and LDAP server (on my list 
> for a future project). What I am trying to figure out is why it is
> looking for one. I have done some additional google searching but I
> have not found any definitive answers. From what I have seen I suspect
> that the problem lays with our /etc/nsswitch.conf file and that I 
> need to change references to "file ldap" to just
"files".
> 
> I am loath to make such changes without something more definite then
> my personal suspicion. Can someone confirm that I am on the right track
> or, if not, point me in the right direction?
> 
> TIA
> 
> Regards, Hugh
> 
As long as you have ldap entries in nsswitch.conf those services will attempt 
to look for ldap.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080219/579ef3ec/attachment.sig>

A short-cut to disable ldap name service:

# authconfig --kickstart --disableldap

And to disable ldap authentication:

# authconfig --kickstart --disableldapauth

Now I believe it only does something if /etc/sysconfig/authconfig has these
marked =YES, but if they are turned on there they will automatically be turned
on again during the next reboot, so check there too.

-Ross


----- Original Message -----
From: centos-bounces at centos.org <centos-bounces at centos.org>
To: CentOS mailing list <centos at centos.org>
Sent: Tue Feb 19 20:09:56 2008
Subject: RE: [CentOS] nss_ldap failed to bind to LDAP server 127.0.0.1

From: Stephen Harris Sent: February 19, 2008 16:56
> 
> In other words you _had_ the right answer already!
> 
Thanks muchly for the confirmation. I have made the necessary
changes and I am just in the process of kicking people off so that
I can reboot. I know the reboot may not be entirely required but it
will ensure that all services have been restart and now reflect the
configuration changes.

Thanks again for your assistance.

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com 
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080219/a46f5090/attachment.html>

From: Ross S. W. Walker Sent: February 19, 2008 17:22
> 
> A short-cut to disable ldap name service:
> 
> # authconfig --kickstart --disableldap
> 
> And to disable ldap authentication:
> 
> # authconfig --kickstart --disableldapauth
> 
> Now I believe it only does something if /etc/sysconfig/authconfig
> has these marked =YES, but if they are turned on there they will
> automatically be turned on again during the next reboot, so check
> there too.
I will have a look at those but, for now, editing the nsswitch.conf
file has taken care of the error messages.

Thanks for your input.

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com