Package: libnss-ldapd Version: 0.6.7.2 Severity: important
Hi, i wanted to replace my libnss-ldap setup by libnss-ldapd. At first sight it seems to work like a charm. Response times were even without nscd much better than before, but fallback to secondary ldap server does not work as expected. If i block all request on the first ldap server by iptables i always get a timeout from nscld: nslcd: [b127f8] ldap_result() timed out It never reconnects to the other server. I tried all posibities of changing timeout values in /etc/nss-ldapd.conf. I changed ssl on and off ... My last (and stupid) try was up to: threads 1 bind_timelimit 1 timelimit 1 idle_timelimit 10 In netstat output i see many ESTABLISHED an CLOSE_WAIT connections to the (not reachable) ldap server. The only way to connect to the second ldap server is killing and restarting nslcd (in my test scenario ldap2 is indeed the first server to ask): pkill -9 nslcd nslcd -d nslcd: DEBUG: add_uri(ldap://ldap2.xxxxxxxxxx/) nslcd: DEBUG: add_uri(ldap://ldap1.xxxxxxxxxx/) nslcd: version 0.6.7 starting nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(110) done nslcd: DEBUG: setuid(106) done nslcd: accepting connections nslcd: [b0dc51] DEBUG: connection from pid=16207 uid=0 gid=0 nslcd: [b0dc51] DEBUG: nslcd_group_bygid(1111) nslcd: [b0dc51] DEBUG: myldap_search(base="xxxxxx", filter="(&(objectClass=posixGroup)(gidNumber=1111))") nslcd: [b0dc51] DEBUG: ldap_result(): end of results In this case, the first lookup takes bind_timelimit to succeed and susequent queries go automatically to the fallback server. But this is definitly not satisfying. If i use libnss-ldap like before on the same machine everything works as expected. So my conclusion is, that nslcd seems to connect to the first ldap server and tries to keep this connection forever. I also waited some minutes and nothing changed. Even if i restart the network interface locally it does not try to connect to the second server. The only way to use the fallback server is to restart nslcd. If you need more information or if i could do some more testing let me know. Regards, matthias -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldapd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debcon 1.5.24 Debian configuration management sy ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libkrb53 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1+lenny2 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra Versions of packages libnss-ldapd recommends: ii libpam-ldap 184-4.2 Pluggable Authentication Module fo ii nscd 2.7-18lenny4 GNU C Library: Name Service Cache libnss-ldapd suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
