From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-27278-garchives=archives.gentoo.org@gentoo.org>)
	id 1IjzZw-0004O5-39
	for garchives@archives.gentoo.org; Mon, 22 Oct 2007 15:52:32 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l9MFpZAF007663;
	Mon, 22 Oct 2007 15:51:35 GMT
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243])
	by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l9MFn15n004165
	for <gentoo-dev@lists.gentoo.org>; Mon, 22 Oct 2007 15:49:01 GMT
Received: by an-out-0708.google.com with SMTP id c38so131167ana
        for <gentoo-dev@lists.gentoo.org>; Mon, 22 Oct 2007 08:49:01 -0700 (PDT)
Received: by 10.78.170.6 with SMTP id s6mr3179310hue.1193068139199;
        Mon, 22 Oct 2007 08:48:59 -0700 (PDT)
Received: by 10.78.21.9 with HTTP; Mon, 22 Oct 2007 08:48:59 -0700 (PDT)
Message-ID: <b41005390710220848u30f5e72fi444ee267c438009f@mail.gmail.com>
Date: Mon, 22 Oct 2007 08:48:59 -0700
From: "Alec Warner" <antarus@gentoo.org>
Sender: antarus@scriptkitty.com
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
In-Reply-To: <20071022125634.GA32424@bart.bs.l>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20071022121229.GA24735@bart.bs.l>
	 <200710221344.21550.strerror@gentoo.org>
	 <20071022125634.GA32424@bart.bs.l>
X-Google-Sender-Auth: 8e236e06cc61f406
X-Archives-Salt: 5c2f24df-7980-4508-b2be-5423d6904f5f
X-Archives-Hash: b654765c38ef01f7d33a6176b456639f

On 10/22/07, Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> Hi,
>
> Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee:
> > On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote:
> > >
> > >   @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $
> > >     root@myhost:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/
> > >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1:
> > > Can't contact LDAP server nss_ldap: failed to bind to LDAP server
> > > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to
> > > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
> > > ...
> > >   nss_ldap: could not search LDAP server - Server is unavailable
> > >
> > > I found out that the Gentoo init script activates the
> > > options "-u ldap -g ldap". Without them, the error messages
> > > do not appear. Therefore I suppose the slapd daemon tries to
> > > obtain passwd/shadow information for ldap via nss_ldap. At
> > > least when I say "compat" in nsswitch.conf, the error
> > > message doesn't appear as well.
> >
> > instead of -u ldap -g ldap, try putting in the UID and GID. This should stop
> > the calls to the server.
>
> I forgot to mention that I tried this, too. The same
> messages appear.
>
> Is there a way to determine _what_ nss is asked for?

Sure, turn on nscd in super debug mode and you should see most, if not
all the requests.

-Alec

>
> > > I even tried to chown the
> > > shadow file to ldap but this didn't save me from the weird
> > > messages either.
> >
> > Don't play with the perms on /etc/shadow, you're just openning up security
> > holes.
>
> That was just for a minute. Of course I recovered the
> previous state immediately.
>
> Thanks anyway so far,
>
> Bertram
>
>
> --
> Bertram Scharpf
> Stuttgart, Deutschland/Germany
> http://www.bertram-scharpf.de
> --
> gentoo-dev@gentoo.org mailing list
>
>
-- 
gentoo-dev@gentoo.org mailing list