Packaging nss-ldapd for fedora
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Mon Jul 21 17:34:54 UTC 2008
Howard Wilkinson <howard at cohtech.com> writes:
>>> Enrico, could you expand on the issues you see with nss_ldap under
>>> Fedora.
>
> can you point me at the bugzilla reports please. I have been following
> the ones on pdal but if there is another source I would like to see it
https://bugzilla.redhat.com/buglist.cgi?component_text=nss_ldap
> Do the problems you see occur when using kerberos to autheticate to
> the ldap server? Or are they in another path? You may need to set
> "bind_policy soft" to get rid of the hangs.
No kerberos (at least not for LDAP bind), only a single LDAP server, no
SSL/TLS. 'koji list-api' stucks at
| open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5
| fstat(5, {st_mode=S_IFREG|0644, st_size=2693, ...}) = 0
| mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb3c3218000
| read(5, "root:x:0:0:root...
| read(5, "", 4096) = 0
| close(5) = 0
| munmap(0x7fb3c3218000, 4096) = 0
| futex(0x7fb3bb1bee00, FUTEX_WAIT_PRIVATE, 2, NULL
This futex address is used here the first and only time; there are no
childs or threads which could issue a WAKE.
nsswitch.conf contains 'ldap' entries for 'passwd' and 'group' only (not
for 'shadow' or 'hosts').
The bash lockups are not 100% reproducible, but bash hangs in such a
futex() call too. There is a connection to the ldap server in CLOSE_WAIT
state and a unix socket (connection to a died nscd?) in this situation.
> Things that need some attention in nss_ldap include the ability to
> fail over to a second ldap server, which may be your real problem.
$ sed '/^\(#.*\|\)$/d' /etc/ldap.conf
host ldap.bigo.ensc.de.
base dc=bigo,dc=ensc,dc=de
pam_min_uid 1000
nss_base_passwd ou=People,dc=bigo,dc=ensc,dc=de?one
nss_base_group ou=Group,dc=bigo,dc=ensc,dc=de?one
ssl no
pam_password md5
> Anyway, the version I run is 259 with my patches for the kerberos
> library included (see PDAL bugzilla 298) and I get occassional
> segfaults from nscd but otherwise it works nicely with kerberos
> keytabs and file based tickets. I have yet to test memory based
> tickets.
nss_ldap-259-3.fc9.x86_64
Enrico
More information about the devel
mailing list