Hi, I installed the puppet server on a CentOS 5 box a while back. That box is configured to authenticate users based on data stored in our OpenLDAP server. Today I rebooted the box and found that puppetmasterd wasn''t able to start because the LDAP server went down due to recent power outage. I checked the configuration settings of the puppet server in /etc/ puppet folder and didn''t find anything that would make the puppet server aware of our LDAP server. In our logs, I saw the following: 2011-07-19T18:07:30-05:00 <daemon.info> puppet puppetmasterd[1292]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... 2011-07-19T18:07:34-05:00 <daemon.info> puppet puppetmasterd[1292]: nss_ldap: reconnected to LDAP server ldap://ldap.xxxx.com after 2 attempts So how can the puppet server be aware of the LDAP server anyway? How can I disable it? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
This would likely have very little to do with puppet. If you''ve configured your /etc/nsswitch.conf file to look at ldap, then an ldap lookup will be made every time something user related happens. This includes launching daemon like puppet. If you are not already doing so, you may want to run nscd to cache these lookups. -- Greg On Tue, Jul 19, 2011 at 4:29 PM, ychen <yungwei@resolvity.com> wrote:> Hi, > > I installed the puppet server on a CentOS 5 box a while back. That box > is configured to authenticate users based on data stored in our > OpenLDAP server. Today I rebooted the box and found that puppetmasterd > wasn''t able to start because the LDAP server went down due to recent > power outage. > > I checked the configuration settings of the puppet server in /etc/ > puppet folder and didn''t find anything that would make the puppet > server aware of our LDAP server. > > In our logs, I saw the following: > 2011-07-19T18:07:30-05:00 <daemon.info> puppet puppetmasterd[1292]: > nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... > 2011-07-19T18:07:34-05:00 <daemon.info> puppet > puppetmasterd[1292]: nss_ldap: reconnected to LDAP server ldap:// > ldap.xxxx.com > after 2 attempts > > So how can the puppet server be aware of the LDAP server anyway? How > can I disable it? Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 19, 2011, at 4:29 PM, ychen wrote:> Hi, > > I installed the puppet server on a CentOS 5 box a while back. That box > is configured to authenticate users based on data stored in our > OpenLDAP server. Today I rebooted the box and found that puppetmasterd > wasn''t able to start because the LDAP server went down due to recent > power outage. > > I checked the configuration settings of the puppet server in /etc/ > puppet folder and didn''t find anything that would make the puppet > server aware of our LDAP server. > > In our logs, I saw the following: > 2011-07-19T18:07:30-05:00 <daemon.info> puppet puppetmasterd[1292]: > nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... > 2011-07-19T18:07:34-05:00 <daemon.info> puppet > puppetmasterd[1292]: nss_ldap: reconnected to LDAP server ldap://ldap.xxxx.com > after 2 attempts > > So how can the puppet server be aware of the LDAP server anyway? How > can I disable it? Thanks.Probably, Puppet isn''t directly aware of your LDAP server. It is however using standard NSS lookup system calls which refers to ldap in /etc/nsswitch.conf and so is trying to reach LDAP for queries on passwd, group, or host lookups (or one of the other NSS DBs, but those are most common). You can also reduce the timeouts for how long NSS tries LDAP if puppet is giving up some system call because it''s taking to long. Or it''s not timing out (well, NSS would be giving up on LDAP; not a timeout of Puppet waiting for NSS), and it''s actually the failure of NSS to reach LDAP that is causing the issue (like if Puppet is trying to switch to run as a user whom is stored in LDAP). You should get a redundant LDAP setup as well as monitor whether your authentication system is up. Or keep LDAP off certain critical servers, like the LDAP boxes themselves, administrative jump-hosts, or your Puppet server. Oh, and don''t forget to be running nscd (though that won''t help you on system boot). Eric -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 19, 2011, at 7:58 PM, Eric Searcy wrote:> You should get a redundant LDAP setup as well as monitor whether your authentication system is up.Absolutely. You can’t imagine the number of things that will break if LDAP goes away. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.