Ubuntu
nss-pam-ldapd package

nslcd ldap_result failed error spam in syslog

Bug #1074213 reported by hgraham
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

We switched over to nslcd for our ldap name service caching daemon from nscd and have been innudated with syslog errors when users try to authenticate against ldap on our workstations.

ldap authentication is working fine and has been for awhile, I am just trying to quell the errors.
Here is an example error from /var/log/syslog

Nov 1 20:32:03 CSEESYSTEMS09 nslcd[24227]: [b8bb37] <authz="hgraham"> ldap_result() failed: Can't contact LDAP server

------------------------------

When I restart the nslcd daemon the errors stop for a period but then start back up, which leads me to believe it is a timeout issue. I am attempting to test using the 'idle_timelimit' option with a value of '100' and it seems to be working.

My guess is that the ldap server may be closing the connection and that setting the 'idle_timelimit' on a client is a work around that closes the client side connection before the server does.

I'm figuring this is a bug based on a similar upstream debian bug that was resolved (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483795) and also a couple of other internet sources. I dug through the changelog of nss-pam-ldapd and I found that the changes posted in the debian bug report are in the package, but I'm still receiving errors.

----------------------------
We are currently running Ubuntu 12.04.1 LTS

nslcd 0.8.4ubuntu0.2

nslcd.conf file contents
---------------------------
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldapconsumer

# The search base that will be used for all queries.
base dc=edu

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: nslcd 0.8.4ubuntu0.2
ProcVersionSignature: Ubuntu 3.2.0-31.50-generic 3.2.28
Uname: Linux 3.2.0-31-generic x86_64
ApportVersion: 2.0.1-0ubuntu13
Architecture: amd64
Date: Thu Nov 1 21:27:08 2012
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nss-pam-ldapd
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
hgraham (hgraham) wrote :
Revision history for this message
Arthur de Jong (adejong) wrote :

Just to be clear: nslcd is not a replacement for nscd. It does not do caching.

The "Can't contact LDAP server" messages can happen when an existing connection to the LDAP server is terminated for some reason. One common cause for this is networking timeouts in a firewall or a idle timeout in the LDAP server.

Using idle_timeout is a good approach to close the connection cleanly before it times out.

Debian bug #483795 is about another message that was logged when (re)connecting to the LDAP server (the "connected to LDAP server" messages). These messages should now only be logged when the previous connection failed.

Revision history for this message
hgraham (hgraham) wrote :

OK that makes sense, thanks for the response.

The idle_timeout is working perfectly, so this can be closed out

Changed in nss-pam-ldapd (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.