patrick.morris@hp.com
2009-Dec-30 23:00 UTC
Re: [389-users] nscd: nss_ldap: could not search LDAP server - Server is unavailable
Prashanth Sundaram wrote:> I have two 389-ds servers with MMR via TLS and client hosts > authenticating via TLS. I see this error message in all client machines > in /var/log/messages. It seems nscd is failing at random intervals. Has > anyone seen this before?> Dec 29 10:35:35 dmc189 nscd: nss_ldap: could not search LDAP server - > Server is unavailable > Dec 29 11:00:21 dmc189 nscd: nss_ldap: could not search LDAP server - > Server is unavailable > Dec 29 11:12:15 dmc189 nscd: nss_ldap: could not search LDAP server - > Server is unavailableSure. It can be caused by several things: intermittent connectivity issues, server malfunctions (the server log''s a good place to look for those), and several other possibilities. It could also be caused by problems with nss_ldap itself, especially given the ldap.conf you''ve provided. What version are you running, and on which platform?
Prashanth Sundaram
2009-Dec-31 18:38 UTC
Re: [389-users] nscd: nss_ldap: could not search LDAP server - Server is unavailable
Thanks Pat Both clients and ldap servers are running on Centos x86_64 5.4 nss_ldap-253-22.el5_4 nscd-2.5-42.el5_4.2 /etc/ldap.conf bind_policy soft timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_filter objectclass=posixAccount base dc=fds,dc=com pam_member_attribute uniquemember uri ldap://ldap.fds.com:389/ tls_checkpeer yes ssl start_tls tls_cacertdir /etc/pki/tls/certs/ pam_password md5 tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt Server logs do not say much other than errors/audit/access. It looks like bind_policy soft results in " Server is Unavailable" message. By changing to bind_policy hard, I get " nscd: nss_ldap: reconnected to LDAP server ldap://ldap.fds.com/ after 1 attempt". So that means ldap connection times-out at random intervals >1800 seconds. I found that there is a bug in What is appropriate timelimit for search/bind/idle? To give some idea, we roughly have ~300 users and 600 servers. Is there a timeout settings in 389-ds? A bug in previous version of nscd: https://bugzilla.redhat.com/show_bug.cgi?id=429702 -P On 12/30/09 6:00 PM, "patrick.morris@hp.com" <patrick.morris@hp.com> wrote:> Prashanth Sundaram wrote: > >> I have two 389-ds servers with MMR via TLS and client hosts >> authenticating via TLS. I see this error message in all client machines >> in /var/log/messages. It seems nscd is failing at random intervals. Has >> anyone seen this before? > >> Dec 29 10:35:35 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:00:21 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:12:15 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable > > Sure. It can be caused by several things: intermittent connectivity > issues, server malfunctions (the server log''s a good place to look for > those), and several other possibilities. > > It could also be caused by problems with nss_ldap itself, especially > given the ldap.conf you''ve provided. What version are you running, > and on which platform?
Prashanth Sundaram
2010-Jan-04 16:12 UTC
Re: [389-users] nscd: nss_ldap: could not search LDAP server - Server is unavailable
Patrick, I am still unable to figure out what is the cause for the clients to time-out on LDAP connection. Is there nay performance tuning that I am unaware of? What is appropriate timelimit for search/bind/idle? To give some idea, we roughly have ~300 users and 600 servers. Is there a timeout settings in 389-ds? Thanks, Prashanth On 12/30/09 6:00 PM, "patrick.morris@hp.com" <patrick.morris@hp.com> wrote:> Prashanth Sundaram wrote: > >> I have two 389-ds servers with MMR via TLS and client hosts >> authenticating via TLS. I see this error message in all client machines >> in /var/log/messages. It seems nscd is failing at random intervals. Has >> anyone seen this before? > >> Dec 29 10:35:35 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:00:21 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:12:15 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable > > Sure. It can be caused by several things: intermittent connectivity > issues, server malfunctions (the server log''s a good place to look for > those), and several other possibilities. > > It could also be caused by problems with nss_ldap itself, especially > given the ldap.conf you''ve provided. What version are you running, > and on which platform?