Ldap causing boot problems

Ecky · October 30, 2010, 5:19pm

After setting up an ldap server and client on a machine running opensuse 11.3 (32 bit) it’s taking around 20 minutes to boot

It’s hanging mostly on trying to start dbus daemon, hal and nfs mounts. xinetd also fails to start

I had at first thought something from NIS which I was previously using might still be running and causing some kind of conflict but I’ve double-checked that and it’s not the case

Anyone know what I should look for that may be causing this kind of behaviour as I’ve no idea where to even start

ken_yap · October 30, 2010, 7:38pm

It may be trying to resolve the account names using ldap first which will fail because you have no networking at that point but take a long time to fail. Check that the order for passwd, shadow and group in /etc/nsswitch.conf are files ldap, i.e. looks it up in /etc/passwd first.

Ecky · October 31, 2010, 2:07am

You might be onto something there mate and I should have thought of it myself

All it had there was this

passwd: compat
group: compat

Changed it to

passwd: files ldap
shadow: files ldap
group: files ldap

Can’t reboot just yet though, it’s moving a whole lot of files that isn’t likely to finish before I head off to bed so I’ll check if it’s done the trick in the morning

Ecky · October 31, 2010, 2:25pm

Putting the correct values in nsswitch.conf didn’t fix anything

I found a pile of errors in /var/log/messages relating to ldap tls so I disabled tls in the ldap server and client and rebooted again, still hanging on dbus but not on hal and xinetd started ok

A further look in /var/log/messages turned these up

Oct 31 12:42:37 gazelle dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://localhost: Can’t contact LDAP server
Oct 31 12:42:37 gazelle dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable

Oct 31 12:42:40 gazelle slapd[2744]: @(#) $OpenLDAP: slapd 2.4.21 (Jul 5 2010 13:34:44) $#012#011abuild@build24:/usr/src/packages/BUILD/openldap-2.4.21/servers/slapd

So it looks to me as if dbus is starting before slapd which would explain it hanging (should slapd be starting before dbus and how would I change that?)

Before I took the tls setting off I could only get it to boot using Failsafe which I think I forgot to mention, now it boots normally but I still can’t login as the test ldap user I’ve added

ken_yap · October 31, 2010, 2:33pm

Look at the relative order of passwd (Unix) auth and LDAP auth in /etc/pam.d for various services then.

Generally one should not make the account for local services dependent on a LDAP server.

Ecky · October 31, 2010, 3:07pm

In the file /etc/pam.d/passwd all I have is this

auth include common-auth
account include common-account
password include common-password
session include common-session

From what you said in your last post Ken sounds like there should be more values, nothing there for ldap at all, a case of Yast not writing all the vaules it should be perhaps?

ken_yap · October 31, 2010, 3:09pm

Those are includes so they “redirect”. You should look at the common-* files, they probably contain calls to some combination of unix and ldap modules.

Ecky · October 31, 2010, 3:35pm

common-account contains these values

account	requisite	pam_unix2.so	
account	sufficient	pam_localuser.so 
account	required	pam_ldap.so	use_first_pass

common-auth contains these values

auth	required	pam_env.so	
auth	optional	pam_gnome_keyring.so
auth	sufficient	pam_unix2.so	
auth	required	pam_ldap.so	use_first_pass

common-password contains these values

password	requisite	pam_pwcheck.so	nullok cracklib 
password	optional	pam_gnome_keyring.so	use_authtok
password	sufficient	pam_unix2.so	use_authtok nullok 
password	required	pam_ldap.so	try_first_pass use_authtok

common-session contains these values

session	required	pam_limits.so	
session	required	pam_unix2.so	
session	optional	pam_apparmor.so	
session	optional	pam_ldap.so	
session	optional	pam_umask.so	
session	optional	pam_gnome_keyring.so	auto_start only_if=gdm,lxdm

I’ve no idea what they all should be but I’m guessing the entries with required pam_ldap.so in them are the ones we’re looking for, all new territory to me this

And I just kicked myself for not even realising the includes pointed elsewhere … it’s sunday which ain’t the day I do my best thinking

Ecky · November 1, 2010, 9:20pm

Never mind, it’s become a moot point for the moment, someone came round today in dire need due to a fried motherboard so I’ve had to reconfigure the machine as a windoze desktop for them to use until a new board for their machine arrives

I’ll have to revisit this when I get the machine I was using for testing this setup back

Thanks for trying to help me with this ken, you’re a true star as always

I’ll give it another shot next week and hopefully get a bit further with it under my own steam