MJD Shop Account
2007-Mar-08 00:03 UTC
[Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts?
<head><style>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color: #ffffff;color:
black;}</style></head><body><div
id="compText"> I''m having some odd ldap issues
with connection or lack thereof to ldap server when nsswitch.conf and
pam.d/system-auth are configured to used FDS ldap
server.<br><br>I''m running both RHEL3 and RHEL4
clients. My servers are RHEL4 update 4 and FDS 1.0.4. My
/etc/ldap.conf is configured with two host names. I''ve
noticed these issues:<br><br><ul><li>If a machine is
disconnected from the network, a login attempt as ''root'' user
(with local passwd file entry and password) fails. The system appears
to accept the password, but sits for maybe a minute, then dumps you back to the
login prompt. I''ve had to boot off rescue CD and
shell in to remove ''ldap'' from the /etc/nsswitch.conf file to
get around this in some instances.<br><br>My relevant /etc/ldap.conf
entries are:<br>passwd: files
ldap<br>shadow:
files<br>group: files
ldap<br>netgroup: files
ldap</li></ul><ul><li>I noticed that a anhy randomly
chosen client has a few connections to the ldap server that persist.
The connections are tied to processes that also should have local entries only
in the local /etc/passwd files. Here''s an example:<br>#
netstat -a | grep
ldap<br>tcp
38 0 clienthostname:32771
serverhostname:ldap CLOSE_WAIT <br># fuser
32771/tcp<br>here:
32771<br>32771/tcp:
3729<br># ps -ef | grep 3729 | grep -v
grep<br>ntp
3729 1 0 Feb23
? 00:00:00
ntpd -u ntp:ntp -p /var/run/ntpd.pid
-g<br>#</li></ul><ul><li>I notice that doing a
"netstat -a" on the server that most clients are using takes a long
time. It spits out a bunch, then slows down when reporting
the entries that are ESTABLISHED ldap
connections:<br>tcp
0 0 ldapserver:ldap
ldapclient:35908 ESTABLISHED <br>I see that some clients have very many
connections, I would expect just one or two. Here''s one
client that had a whole bunch, most disappeared before I could capture this bash
shell command output. This output is for jobs associated with ports
connecting to ldap server:<br># for i in `netstat -a | grep ldap | cut -d:
-f2 | cut -d" " -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do
ps -ef | grep $j | grep -v grep; done;
done<br>xfs
2726 1 0 Feb20
? 00:00:00
xfs -droppriv
-daemon<br>root
3138 3031 0 Feb20
? 00:00:00
/usr/bin/gdm-binary bell-style
none<br>root
3418 3138 0 18:32
? 00:00:02
/usr/X11R6/bin/X :0 -auth /var/gdm/:0.Xauth
vt7<br>gdm
3430 3138 0 18:32
? 00:00:00
/usr/bin/gdmgreeter<br>root
2477 2617 0 18:22
? 00:00:01
sshd: root@pts/0<br>root
2481 2477 0 18:22 pts/0
00:00:00 -tcsh<br><br>I ran a similar command on a client computer
where the user is running a lot of jobs, I got 53 lines of output.
Basically every job is maintaining an ldap connection, I
guess.<br><br></li></ul><ul><li>I think I
need to configure something such that the nsswitch.conf entry tells it to stop
if it finds the ''files'' entry and not proceed to the
''ldap'' entry. I thought this would happen by
default.</li></ul><ul><li>I think the above problem is
possibly leading to many more ldap connections than are necessary which in turn
may be causing performance issues on the server, ALTHOUGH the cpu load and
memory load does not appear inordinately
heavy</li></ul><ul><li>I tried running nscd (for caching
the info) once, it seemed to cause too many problems so I turned it
off. I have tried something like implementing pam_ccache, I
don''t think it would help the too-many-connections, just the issue with
no logins when off the
net.<br></li></ul><ul><li>Here''s my
/etc/ldap.conf minus the usual comment lines, I''m doing anonymous
binds. Maybe there''s some keepalive flag that
should be set or unset?:<br>host server1 server2<br>base
dc=example,dc=com<br>ldap_version 3<br>scope
sub<br>bind_timelimit 10<br>pam_lookup_policy
yes<br>pam_password
exop<br>nss_base_passwd
ou=People,dc=example,dc=com?one<br>nss_base_group
ou=Group,dc=example,dc=com?one<br>nss_base_services
ou=Services,dc=example,dc=com?one<br>nss_base_aliases
ou=Aliases,dc=example,dc=com?one<br>nss_base_netgroup
ou=Netgroup,dc=example,dc=com?one<br>ssl start_tls<br>tls_checkpeer
yes<br>tls_cacertfile
/usr/share/ssl/certs/servercert.pem<br>tls_ciphers
TLSv1<br>pam_password md5<br></li></ul>Any suggestions
on what I might be doing wrong are greatly
appreciated!<br><br>-Marty<br><br></div></body>
George Holbert
2007-Mar-08 01:42 UTC
Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts?
> If a machine is disconnected from the network, a login attempt as > ''root'' user (with local passwd file entry and password) fails. > ... > I think I need to configure something such that the nsswitch.conf > entry tells it to stop if it finds the ''files'' entry and not proceed > to the ''ldap'' entry. I thought this would happen by default.At least for authentication, this behavior depends also on your PAM config. You need to make sure that the auth and account stacks will succeed for local accounts (e.g., root) without asking pam_ldap. What''s in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? MJD Shop Account wrote:> I''m having some odd ldap issues with connection or lack thereof to > ldap server when nsswitch.conf and pam.d/system-auth are configured to > used FDS ldap server. > > I''m running both RHEL3 and RHEL4 clients. My servers are RHEL4 update > 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host > names. I''ve noticed these issues: > > * If a machine is disconnected from the network, a login attempt > as ''root'' user (with local passwd file entry and password) > fails. The system appears to accept the password, but sits for > maybe a minute, then dumps you back to the login prompt. I''ve > had to boot off rescue CD and shell in to remove ''ldap'' from > the /etc/nsswitch.conf file to get around this in some instances. > > My relevant /etc/ldap.conf entries are: > passwd: files ldap > shadow: files > group: files ldap > netgroup: files ldap > > * I noticed that a anhy randomly chosen client has a few > connections to the ldap server that persist. The connections > are tied to processes that also should have local entries only > in the local /etc/passwd files. Here''s an example: > # netstat -a | grep ldap > tcp 38 0 clienthostname:32771 serverhostname:ldap > CLOSE_WAIT > # fuser 32771/tcp > here: 32771 > 32771/tcp: 3729 > # ps -ef | grep 3729 | grep -v grep > ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp > -p /var/run/ntpd.pid -g > # > > * I notice that doing a "netstat -a" on the server that most > clients are using takes a long time. It spits out a bunch, > then slows down when reporting the entries that are ESTABLISHED > ldap connections: > tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED > I see that some clients have very many connections, I would > expect just one or two. Here''s one client that had a whole > bunch, most disappeared before I could capture this bash shell > command output. This output is for jobs associated with ports > connecting to ldap server: > # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " > -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | > grep $j | grep -v grep; done; done > xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv > -daemon > root 3138 3031 0 Feb20 ? 00:00:00 > /usr/bin/gdm-binary bell-style none > root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X > :0 -auth /var/gdm/:0.Xauth vt7 > gdm 3430 3138 0 18:32 ? 00:00:00 /usr/bin/gdmgreeter > root 2477 2617 0 18:22 ? 00:00:01 sshd: root@pts/0 > root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh > > I ran a similar command on a client computer where the user is > running a lot of jobs, I got 53 lines of output. Basically > every job is maintaining an ldap connection, I guess. > > * I think I need to configure something such that the > nsswitch.conf entry tells it to stop if it finds the ''files'' > entry and not proceed to the ''ldap'' entry. I thought this would > happen by default. > > * I think the above problem is possibly leading to many more ldap > connections than are necessary which in turn may be causing > performance issues on the server, ALTHOUGH the cpu load and > memory load does not appear inordinately heavy > > * I tried running nscd (for caching the info) once, it seemed to > cause too many problems so I turned it off. I have tried > something like implementing pam_ccache, I don''t think it would > help the too-many-connections, just the issue with no logins > when off the net. > > * Here''s my /etc/ldap.conf minus the usual comment lines, I''m > doing anonymous binds. Maybe there''s some keepalive flag that > should be set or unset?: > host server1 server2 > base dc=example,dc=com > ldap_version 3 > scope sub > bind_timelimit 10 > pam_lookup_policy yes > pam_password exop > nss_base_passwd ou=People,dc=example,dc=com?one > nss_base_group ou=Group,dc=example,dc=com?one > nss_base_services ou=Services,dc=example,dc=com?one > nss_base_aliases ou=Aliases,dc=example,dc=com?one > nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ssl/certs/servercert.pem > tls_ciphers TLSv1 > pam_password md5 > > Any suggestions on what I might be doing wrong are greatly appreciated! > > -Marty > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >