[389-users] Debug PTA and PAM-PTA stack for ldap timeout
Prashanth Sundaram
psundaram at wgen.net
Wed Sep 15 15:26:31 UTC 2010
Hello,
We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
user is unable to ssh to random hosts at random times.
Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
secure logs: pam_ldap: ldap_result Timed out
Failed password for psundaram from 10.1.0.120 port 22039
ssh2
Sifting thru logs tell the user's password was successfully
authenticated upstream by looking at dirsrv access log with err=0. The
clients connecting to slave incur regular timeouts and the login fails
but it is not case with clients connecting to Master directly.
Setup: Two Masters with MMR, Two Slaves with MMR. The authentication for
clients connecting to the slave ldap server goes to the master via PTA
plugin and then from Master it goes to Windows AD via PAM-PTA.
Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
passwords are)
I understand we have might have a long traversal for the authentication,
but we have set considerably high timeout limits.
/etc/ldap.conf
timelimit 120
bind_timelimit 5
bind_policy hard
idle_timelimit 3600
slave ldap server
nsslapd-idletimeout: 86400
nsbindtimeout: 15
nsslapd-timelimit: 3600
Master ldap server
nsslapd-idletimeout: 7200
nsbindtimeout: 15
nsslapd-timelimit: 3600
Anybody had similar issue or can share some debugging tips?
-Prashanth
More information about the 389-users
mailing list