Puppet users - Nov 2011 - nss_ldap breaks puppet

I have installed and configured the puppet client nodes to use LDAP to
authenicate users.
LDAP connection is OK and user can be authenicated via LDAP.
I use nscd and with my ldap config setting specify on /etc/ldap.conf

However, puppet is not happy; and in the /var/log/messages it gives
tons of

puppet-agent[27499]: nss_ldap: could not search LDAP server
puppet-agent[27499]: nss_ldap: reconnecting to LDAP server

I guess LDAP server connection is slow or timeout, but could we
configure puppet client NOT to use LDAP specify on nsswitch.conf

I search previous post; and somebody suggests to fix LDAP locally. I
think that is the ideal way; but if I don''t have control on LDAP. Give
up Puppet or LDAP?

I think should have way to configure puppet not to use the host
setting set on nsswitch.conf.
/etc/sysconfig/puppet  or /etc/puppet/puppet.conf  <--- anywhere we
can tell puppet to use alternative auth way other than the default
system /etc/nsswitch.conf

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Nov 7, 2011, at 4:18 PM, Raymond wrote:
> I have installed and configured the puppet client nodes to use LDAP to
> authenicate users.
> LDAP connection is OK and user can be authenicated via LDAP.
> I use nscd and with my ldap config setting specify on /etc/ldap.conf
> 
> However, puppet is not happy; and in the /var/log/messages it gives
> tons of
> 
> puppet-agent[27499]: nss_ldap: could not search LDAP server
> puppet-agent[27499]: nss_ldap: reconnecting to LDAP server
> 
> I guess LDAP server connection is slow or timeout, but could we
> configure puppet client NOT to use LDAP specify on nsswitch.conf
> 
> I search previous post; and somebody suggests to fix LDAP locally. I
> think that is the ideal way; but if I don''t have control on LDAP.
Give
> up Puppet or LDAP?
> 
> I think should have way to configure puppet not to use the host
> setting set on nsswitch.conf.
> /etc/sysconfig/puppet  or /etc/puppet/puppet.conf  <--- anywhere we
> can tell puppet to use alternative auth way other than the default
> system /etc/nsswitch.conf
----
first of all, it''s just a log entry that isn''t necessarily a
problem but indicates that perhaps some LDAP reconfiguration is probably a good
idea.

Doesn''t puppet-agent use root? Why is puppet-agent looking to LDAP for
root user credentials?

You probably should be looking at (or adding) these types of entries in
/etc/ldap.conf

timelimit 10
bind_timelimit 4
bind_policy soft
nss_initgroups_ignoreusers \
openldap,bind,named,ldap,backup,bin,daemon,games,gnats,\
irc,landscape,libuuid,list,lp,mail,man,news,openldap,proxy,\
root,sshd,sync,sys,syslog,uucp,www-data

though you should check the man pages and test for your optimal settings and the
nss_initgroups_ignoreusers list I am presenting is sort of a hybrid
ubuntu/centos list and your list of ''local'' (not LDAP) users
would likely be different.

Also FWIW, I have always found nscd to be a bit painful and perhaps you can get
better utility from nlscd if it''s available for your distribution.

nsswitch.conf is an all or none proposition.

Craig

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.