Packaging nss-ldapd for fedora

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Mon Jul 21 17:34:54 UTC 2008 

Howard Wilkinson <howard at cohtech.com> writes:

>>> Enrico, could you expand on the issues you see with nss_ldap under
>>> Fedora.
>
> can you point me at the bugzilla reports please. I have been following
> the ones on pdal but if there is another source I would like to see it

https://bugzilla.redhat.com/buglist.cgi?component_text=nss_ldap


> Do the problems you see occur when using kerberos to autheticate to
> the ldap server? Or are they in another path? You may need to set
> "bind_policy soft" to get rid of the hangs.

No kerberos (at least not for LDAP bind), only a single LDAP server, no
SSL/TLS. 'koji list-api' stucks at

| open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5
| fstat(5, {st_mode=S_IFREG|0644, st_size=2693, ...}) = 0
| mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb3c3218000
| read(5, "root:x:0:0:root...
| read(5, "", 4096)                       = 0
| close(5)                                = 0
| munmap(0x7fb3c3218000, 4096)            = 0
| futex(0x7fb3bb1bee00, FUTEX_WAIT_PRIVATE, 2, NULL

This futex address is used here the first and only time; there are no
childs or threads which could issue a WAKE.

nsswitch.conf contains 'ldap' entries for 'passwd' and 'group' only (not
for 'shadow' or 'hosts').


The bash lockups are not 100% reproducible, but bash hangs in such a
futex() call too. There is a connection to the ldap server in CLOSE_WAIT
state and a unix socket (connection to a died nscd?) in this situation.


> Things that need some attention in nss_ldap include the ability to
> fail over to a second ldap server, which may be your real problem.

$ sed '/^\(#.*\|\)$/d' /etc/ldap.conf
host ldap.bigo.ensc.de.
base dc=bigo,dc=ensc,dc=de
pam_min_uid  1000
nss_base_passwd         ou=People,dc=bigo,dc=ensc,dc=de?one
nss_base_group          ou=Group,dc=bigo,dc=ensc,dc=de?one
ssl no
pam_password md5



> Anyway, the version I run is 259 with my patches for the kerberos
> library included (see PDAL bugzilla 298) and I get occassional
> segfaults from nscd but otherwise it works nicely with kerberos
> keytabs and file based tickets. I have yet to test memory based
> tickets.

nss_ldap-259-3.fc9.x86_64




Enrico

More information about the fedora-devel-list mailing list