From owner-freebsd-questions@FreeBSD.ORG Fri May 9 20:43:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0308E1065671 for ; Fri, 9 May 2008 20:43:47 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id 1F3A88FC16 for ; Fri, 9 May 2008 20:43:45 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from [10.1.11.1] ([10.1.11.1]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id m49KgAu1003287 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 9 May 2008 22:42:10 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown To: freebsd-questions@freebsd.org Date: Fri, 9 May 2008 22:44:04 +0200 User-Agent: KMail/1.9.4 References: <1210336560.28281.43.camel@columbus.webtent.org> In-Reply-To: <1210336560.28281.43.camel@columbus.webtent.org> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Spam-Score: -4.37 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Subject: Re: slapd won't start with nss_ldap.conf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2008 20:43:47 -0000 On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote: > On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and > pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf > present, it just hangs and nothing in the messages or debug logs. I just > copied ldap.conf to nss_ldap.conf, see contents below. To try and identify the problem, can I ask - when you say slapd doesn't start, how long have you waited? There is a chicken-and-egg problem with slapd on a host which is running nss_ldap. To start a process, the system has to adopt the user and group privileges of the process owner, which means enumerating all the groups for that user from every source of group information - including LDAP on a system running nss_ldap. So, to start slapd, the system needs the group info for user ldap - from slapd. It times out and retries a few times, and eventually starts slapd using the group information from /etc/passwd and /etc/group, but the timeout and retry options by default take several minutes. The delay can be even longer depending how many other services are being started first and therefore how many nss_ldap lookup timeouts occur during boot. There are a number of possible solutions depending which version of nss_ldap you're running - searching for nss_ldap bind_policy nss_reconnect_tries will produce a number of suggestions and ``problem reports''. Jonathan