Using [Open]LDAP for authentication
Dominique Goncalves
dominique.goncalves at gmail.com
Fri Jan 20 10:14:49 PST 2006
On 1/20/06, Dan Nelson <dnelson at allantgroup.com> wrote:
> In the last episode (Jan 20), Dominique Goncalves said:
> > On 1/20/06, Daniel O'Connor <doconnor at gsoft.com.au> wrote:
> > > I use OpenLDAP for authentication in conjunction with nss_ldap and
> > > pam_ldap (and samba). I use the RCORDER port option so it put the
> > > startup file in /etc/rc.d.
> > >
> > > In 5.4 this worked fine - it started up correctly and in the right
> > > place. However I upgraded to 6.0-STABLE (11/12/05) and when I ran
> > > mergemaster I accidentally told it to delete the rc.d file (doh..)
> > > I then upgraded to a slightly later version of openldap (a newer
> > > version of openldap23-server).
> > >
> > > The problem now is that OpenLDAP appears to start very late, since
> > > lots of things need to do nss_ldap lookups it means bootup is very
> > > glacial as they timeout.
> >
> > I've reported recently a problem with the same symptoms [1] but I use
> > this order in my nsswitch.conf "files ldap".
> >
> > All exemples I found on internet use this order. And if I understand
> > correctly, this order means, if a user is not found in files then it
> > tries on ldap?
> >
> > [1] http://lists.freebsd.org/pipermail/freebsd-questions/2006-January/110581.html
>
> For the username lookup itself this is true, but to determine which
> groups that user is a member of, it needs to fetch the entire group
> list. That's probably the cause of your hang. Compare "id -u root"
> (just looks up userid) with "id root" (looks up userid and group
> memberships).
>
> In any case, I can't think of any reason why ldap queries would timeout
> or hang, though. Either nss_ldap can connect to the remote ldap
> service, or it can't, and if it can't it should realize this
> immediately (unless your routes are messed up). Unfortunately, truss
> doesn't tell you what syscall a process is waiting on when you ^C it;
> try ktrace or strace and see if it gives you any more info.
I've updated my system with FreeBSD 6.0-STABLE #0: Thu Jan 19 21:51:24 CET 2006
but the hangs is still here.
Here is results of the command "id" with "strace" executed on single user mode:
strace with ldap in nsswitch.conf:
http://djdomics.free.fr/FreeBSD/strace-nss-w-ldap.txt
strace without ldap in nsswitch.conf:
http://djdomics.free.fr/FreeBSD/strace-nss-wo-ldap.txt
With the strace file with ldap enabled in nsswitch.conf, I see that
FreeBSD tries to search the ldap server, and of course it can't
connect because is not yet started.
> --
> Dan Nelson
> dnelson at allantgroup.com
>
Regards.
--
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
More information about the freebsd-stable
mailing list