[gentoo-dev] Slapd calls nss_ldap before opening its ports

[gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

when setting up LDAP Pam authentication I encountered a
problem that seems to be neither Slapd- nor
nss_ldap-specific.

When running the init script there comes up an error that
clutters up my syslog with a lot of useless error messages:

  @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ 	root@myhost:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/servers/slapd
  nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
  nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
  nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
  ...
  nss_ldap: could not search LDAP server - Server is unavailable
  WARNING: No dynamic config support for database ldbm.
  slapd starting

I found out that the Gentoo init script activates the
options "-u ldap -g ldap". Without them, the error messages
do not appear. Therefore I suppose the slapd daemon tries to
obtain passwd/shadow information for ldap via nss_ldap. At
least when I say "compat" in nsswitch.conf, the error
message doesn't appear as well.

The thing I really wonder about is that the lines in
nsswitch.conf say

  passwd:    files ldap
  shadow:    files ldap
  group:     files ldap

The files should be searched first. The "ldap" information
is present in all three of them. I even tried to chown the
shadow file to ldap but this didn't save me from the weird
messages either.

I detected I have a machine where this didn't happen. Then I
upgraded from glibc-2.5-r4 to glibc-2.6.1 ...

I tried to stuff log statements into glibc's nss part but
I'm not experienced enough in glibc to do that in finite
time.

Could this it a real bug in glibc or any of its patches?
Does anybody experience the same behaviour?

Thanks in advance,

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Benjamin Smee]

On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote:
> Hi,
>
> when setting up LDAP Pam authentication I encountered a
> problem that seems to be neither Slapd- nor
> nss_ldap-specific.
>
> When running the init script there comes up an error that
> clutters up my syslog with a lot of useless error messages:
>
>   @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $
> 	root@myhost:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/
>servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1:
> Can't contact LDAP server nss_ldap: failed to bind to LDAP server
> ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to
> LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
> ...
>   nss_ldap: could not search LDAP server - Server is unavailable
>   WARNING: No dynamic config support for database ldbm.
>   slapd starting
>
> I found out that the Gentoo init script activates the
> options "-u ldap -g ldap". Without them, the error messages
> do not appear. Therefore I suppose the slapd daemon tries to
> obtain passwd/shadow information for ldap via nss_ldap. At
> least when I say "compat" in nsswitch.conf, the error
> message doesn't appear as well.

instead of -u ldap -g ldap, try putting in the UID and GID. This should stop 
the calls to the server.

> The files should be searched first. The "ldap" information
> is present in all three of them. I even tried to chown the
> shadow file to ldap but this didn't save me from the weird
> messages either.

Don't play with the perms on /etc/shadow, you're just openning up security 
holes.


-- 
Benjamin Smee (strerror)
net-mail/netmon/forensics/crypto/ldap
Fingerprint: 497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee:
> On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote:
> >
> >   @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $
> > 	root@myhost:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/
> >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1:
> > Can't contact LDAP server nss_ldap: failed to bind to LDAP server
> > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to
> > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
> > ...
> >   nss_ldap: could not search LDAP server - Server is unavailable
> >
> > I found out that the Gentoo init script activates the
> > options "-u ldap -g ldap". Without them, the error messages
> > do not appear. Therefore I suppose the slapd daemon tries to
> > obtain passwd/shadow information for ldap via nss_ldap. At
> > least when I say "compat" in nsswitch.conf, the error
> > message doesn't appear as well.
> 
> instead of -u ldap -g ldap, try putting in the UID and GID. This should stop 
> the calls to the server.

I forgot to mention that I tried this, too. The same
messages appear.

Is there a way to determine _what_ nss is asked for?

> > I even tried to chown the
> > shadow file to ldap but this didn't save me from the weird
> > messages either.
> 
> Don't play with the perms on /etc/shadow, you're just openning up security 
> holes.

That was just for a minute. Of course I recovered the
previous state immediately.

Thanks anyway so far,

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Michael Hanselmann]

[-- Attachment #1: Type: text/plain, Size: 368 bytes --]

Hi

On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote:
> Therefore I suppose the slapd daemon tries to obtain passwd/shadow
> information for ldap via nss_ldap.

Yes, it does. Therefore, use something like the following line in
/etc/ldap.conf:

  nss_initgroups_ignoreusers root,ldap,cron,portage 

Greets,
Michael

-- 
http://hansmi.ch/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Alec Warner]

On 10/22/07, Michael Hanselmann <hansmi@gentoo.org> wrote:
> Hi
>
> On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote:
> > Therefore I suppose the slapd daemon tries to obtain passwd/shadow
> > information for ldap via nss_ldap.
>
> Yes, it does. Therefore, use something like the following line in
> /etc/ldap.conf:
>
>   nss_initgroups_ignoreusers root,ldap,cron,portage

ew, what if root is in some ldap groups? :)

But seriously while that most likely works, it's only hiding the
problem, not solving it.

Do other distributions just not run ldap as an unprivileged user?

We run slapd as 'ldap' at work, but do not have this problem (but we
are not running gentoo, obviously, our libraries are old and crufty).
I know robbat2 knows more about this problem, it just seems odd that
it's only us.

-Alec

>
> Greets,
> Michael
>
> --
> http://hansmi.ch/
>
>
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Alec Warner]

On 10/22/07, Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> Hi,
>
> Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee:
> > On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote:
> > >
> > >   @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $
> > >     root@myhost:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/
> > >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1:
> > > Can't contact LDAP server nss_ldap: failed to bind to LDAP server
> > > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to
> > > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
> > > ...
> > >   nss_ldap: could not search LDAP server - Server is unavailable
> > >
> > > I found out that the Gentoo init script activates the
> > > options "-u ldap -g ldap". Without them, the error messages
> > > do not appear. Therefore I suppose the slapd daemon tries to
> > > obtain passwd/shadow information for ldap via nss_ldap. At
> > > least when I say "compat" in nsswitch.conf, the error
> > > message doesn't appear as well.
> >
> > instead of -u ldap -g ldap, try putting in the UID and GID. This should stop
> > the calls to the server.
>
> I forgot to mention that I tried this, too. The same
> messages appear.
>
> Is there a way to determine _what_ nss is asked for?

Sure, turn on nscd in super debug mode and you should see most, if not
all the requests.

-Alec

>
> > > I even tried to chown the
> > > shadow file to ldap but this didn't save me from the weird
> > > messages either.
> >
> > Don't play with the perms on /etc/shadow, you're just openning up security
> > holes.
>
> That was just for a minute. Of course I recovered the
> previous state immediately.
>
> Thanks anyway so far,
>
> Bertram
>
>
> --
> Bertram Scharpf
> Stuttgart, Deutschland/Germany
> http://www.bertram-scharpf.de
> --
> gentoo-dev@gentoo.org mailing list
>
>
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 22. Okt 2007, 08:48:59 -0700 schrieb Alec Warner:
> On 10/22/07, Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> > Is there a way to determine _what_ nss is asked for?
> 
> Sure, turn on nscd in super debug mode and you should see most, if not
> all the requests.

A _really_ cool idea. Thanks!

It's indeed the initgroups query that starts to spin.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann:
> On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote:
> > Therefore I suppose the slapd daemon tries to obtain passwd/shadow
> > information for ldap via nss_ldap.
> 
> Yes, it does. Therefore, use something like the following line in
> /etc/ldap.conf:
> 
>   nss_initgroups_ignoreusers root,ldap,cron,portage 

Ah, I did not know this yet. I see the problem in whole is
more complicated.

Even though Alec enters caveats I will use the ignore
solution for now. What was troubling me was that I didn't
know what was going on at all.

Thank you both,

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 284 bytes --]

On Monday 22 October 2007, Bertram Scharpf wrote:
> when setting up LDAP Pam authentication I encountered a
> problem that seems to be neither Slapd- nor
> nss_ldap-specific.

for future reference, this belongs on the users list or the forums, not the 
development list
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 29. Okt 2007, 07:45:48 -0400 schrieb Mike Frysinger:
> On Monday 22 October 2007, Bertram Scharpf wrote:
> > when setting up LDAP Pam authentication I encountered a
> > problem that seems to be neither Slapd- nor
> > nss_ldap-specific.
> 
> for future reference, this belongs on the users list or the forums, not the 
> development list

I asked this to the users list. My question was totally
ignored. I asked the OpenLDAP list, too. There I was
blocked; they told me I were off-topic. 'nss_ldap' itself
has no list as far as I can see. Where else should I ask?
microsoft.public.outlook.general?

Thanks again to Michael, Alec and Benjamin who helped me a lot.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

On Monday 29 October 2007, Bertram Scharpf wrote:
> Am Montag, 29. Okt 2007, 07:45:48 -0400 schrieb Mike Frysinger:
> > On Monday 22 October 2007, Bertram Scharpf wrote:
> > > when setting up LDAP Pam authentication I encountered a
> > > problem that seems to be neither Slapd- nor
> > > nss_ldap-specific.
> >
> > for future reference, this belongs on the users list or the forums, not
> > the development list
>
> I asked this to the users list. My question was totally
> ignored. I asked the OpenLDAP list, too. There I was
> blocked; they told me I were off-topic. 'nss_ldap' itself
> has no list as far as I can see. Where else should I ask?
> microsoft.public.outlook.general?

while that sucks, it still does not make it appropriate for this list
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger:
> while that sucks, it still does not make it appropriate for this list

As I wrote in the first post the problem appeared when I
upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of
time I was not able to decide whether the problem was
Gentoo-specific or not.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2577 bytes --]

On Mon, Oct 22, 2007 at 09:56:59PM +0200, Bertram Scharpf wrote:
> Hi,
> 
> Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann:
> > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote:
> > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow
> > > information for ldap via nss_ldap.
> > 
> > Yes, it does. Therefore, use something like the following line in
> > /etc/ldap.conf:
> > 
> >   nss_initgroups_ignoreusers root,ldap,cron,portage 
> 
> Ah, I did not know this yet. I see the problem in whole is
> more complicated.
> 
> Even though Alec enters caveats I will use the ignore
> solution for now. What was troubling me was that I didn't
> know what was going on at all.
I was busy with other things, so I didn't get to this.

It's not unique to Gentoo, but rather it is more apparent on Gentoo
because of how users do things. 

The RHEL documentation on LDAP server (mind you, I last read it before
they did their own Fedora Directory Server) had big warnings about not
using nss_ldap on the machine that housed your slapd.

Secondly, the glibc NSS lookup for a numeric UID has a nasty bit in it:
for S in NSS-sources:
	lookup for U in the numeric column
	if found, return.
	lookup for U in the key column (pw_name)
	if found, return.

Doing the U is member of groups lookup is even worse, since it doesn't
break out of the look as soon as possible (hence why the
initgroups_ignoreusers setting is important).

Now if you are doing a lookup for a non-existent numeric UID, this means
that you hit the files backend twice, and the LDAP backend twice.

If slapd is not available (either because it is local and not started
yet, OR because networking is not available yet), the LDAP lookups will
time out. The Gentoo stock /etc/ldap.conf that powers nss_ldap has
settings to try to minimize the cost of the timeouts, that uses a
timeout of 15 seconds per lookup.

I discussed this previously with Uberlord, I can't recall the bug #.
The net of it is that _every_ UID and GID used (and yes, even doing an
ls can hit them!) must be present in the core system data, or it the
timeout penalty must be paid for each lookup.

It's easy to fall foul of this. Somewhere around, there was a NSS module
that just logged every lookup instead of performing them, and it is
astounding how many lookups take place during boot.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 321 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

On Monday 29 October 2007, Bertram Scharpf wrote:
> Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger:
> > while that sucks, it still does not make it appropriate for this list
>
> As I wrote in the first post the problem appeared when I
> upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of
> time I was not able to decide whether the problem was
> Gentoo-specific or not.

the context of "not appropriate" is not "this list" as in "Gentoo specific", 
but as in "this list is for development, not support"
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Bertram Scharpf]

Hi,

Am Montag, 29. Okt 2007, 12:41:51 -0400 schrieb Mike Frysinger:
> On Monday 29 October 2007, Bertram Scharpf wrote:
> > Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger:
> > > while that sucks, it still does not make it appropriate for this list
> >
> > As I wrote in the first post the problem appeared when I
> > upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of
> > time I was not able to decide whether the problem was
> > Gentoo-specific or not.
> 
> the context of "not appropriate" is not "this list" as in "Gentoo specific", 
> but as in "this list is for development, not support"

I may venture to assume that repetitive error messages of
that plenty could be seen at least as a documentation bug.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1072 bytes --]

On Mon, 2007-10-29 at 18:39 +0100, Bertram Scharpf wrote:
> Hi,
> 
> Am Montag, 29. Okt 2007, 12:41:51 -0400 schrieb Mike Frysinger:
> > On Monday 29 October 2007, Bertram Scharpf wrote:
> > > Am Montag, 29. Okt 2007, 08:47:28 -0400 schrieb Mike Frysinger:
> > > > while that sucks, it still does not make it appropriate for this list
> > >
> > > As I wrote in the first post the problem appeared when I
> > > upgraded from glibc-2.5-r4 to glibc-2.6.1. At this point of
> > > time I was not able to decide whether the problem was
> > > Gentoo-specific or not.
> > 
> > the context of "not appropriate" is not "this list" as in "Gentoo specific", 
> > but as in "this list is for development, not support"
> 
> I may venture to assume that repetitive error messages of
> that plenty could be seen at least as a documentation bug.

Which should be filed as a bug report or sent to the gentoo-doc list.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports

[Josh Saddler]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

Chris Gianelloni wrote:
>> I may venture to assume that repetitive error messages of
>> that plenty could be seen at least as a documentation bug.
> 
> Which should be filed as a bug report or sent to the gentoo-doc list.

It's not a Gentoo documentation bug, so don't bother to file one, nor
mention it on the gentoo-doc list. It's not our problem, either.

If anything, file a bug with LDAP upstream or with RHEL's documentation;
robbat2 mentioned their docs in an earlier message.




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]