From owner-freebsd-stable@FreeBSD.ORG Fri Jan 20 18:14:49 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6ABA16A41F for ; Fri, 20 Jan 2006 18:14:49 +0000 (GMT) (envelope-from dominique.goncalves@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 004E343D45 for ; Fri, 20 Jan 2006 18:14:48 +0000 (GMT) (envelope-from dominique.goncalves@gmail.com) Received: by uproxy.gmail.com with SMTP id j3so384248ugf for ; Fri, 20 Jan 2006 10:14:48 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XcGa4SwRx2tvWfu6rTkQEi/D9j5TZx4RzCwQrP4OLgjirDP/DtcLipFSuEKhnIyg72x38YbXoN+RUv1ViU5xgnX0DKGRHWVe2ctDjm0vv/mc1IFzqxMPJTddZIGirT/ZgiUkHChwRr4yValFXlRjlLX0COu5qnKuLGyVZwWLUsE= Received: by 10.49.20.12 with SMTP id x12mr166405nfi; Fri, 20 Jan 2006 10:08:12 -0800 (PST) Received: by 10.48.157.16 with HTTP; Fri, 20 Jan 2006 10:08:12 -0800 (PST) Message-ID: <7daacbbe0601201008m7c650f4esedcd81921d0fd81e@mail.gmail.com> Date: Fri, 20 Jan 2006 19:08:12 +0100 From: Dominique Goncalves To: Dan Nelson In-Reply-To: <20060120154215.GA54284@dan.emsphone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200601201130.18872.doconnor@gsoft.com.au> <7daacbbe0601192341p32673972j8f309dff1df543aa@mail.gmail.com> <20060120154215.GA54284@dan.emsphone.com> Cc: freebsd-stable@freebsd.org, vsevolod@freebsd.org Subject: Re: Using [Open]LDAP for authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2006 18:14:49 -0000 On 1/20/06, Dan Nelson wrote: > In the last episode (Jan 20), Dominique Goncalves said: > > On 1/20/06, Daniel O'Connor wrote: > > > I use OpenLDAP for authentication in conjunction with nss_ldap and > > > pam_ldap (and samba). I use the RCORDER port option so it put the > > > startup file in /etc/rc.d. > > > > > > In 5.4 this worked fine - it started up correctly and in the right > > > place. However I upgraded to 6.0-STABLE (11/12/05) and when I ran > > > mergemaster I accidentally told it to delete the rc.d file (doh..) > > > I then upgraded to a slightly later version of openldap (a newer > > > version of openldap23-server). > > > > > > The problem now is that OpenLDAP appears to start very late, since > > > lots of things need to do nss_ldap lookups it means bootup is very > > > glacial as they timeout. > > > > I've reported recently a problem with the same symptoms [1] but I use > > this order in my nsswitch.conf "files ldap". > > > > All exemples I found on internet use this order. And if I understand > > correctly, this order means, if a user is not found in files then it > > tries on ldap? > > > > [1] http://lists.freebsd.org/pipermail/freebsd-questions/2006-January/1= 10581.html > > For the username lookup itself this is true, but to determine which > groups that user is a member of, it needs to fetch the entire group > list. That's probably the cause of your hang. Compare "id -u root" > (just looks up userid) with "id root" (looks up userid and group > memberships). > > In any case, I can't think of any reason why ldap queries would timeout > or hang, though. Either nss_ldap can connect to the remote ldap > service, or it can't, and if it can't it should realize this > immediately (unless your routes are messed up). Unfortunately, truss > doesn't tell you what syscall a process is waiting on when you ^C it; > try ktrace or strace and see if it gives you any more info. I've updated my system with FreeBSD 6.0-STABLE #0: Thu Jan 19 21:51:24 CET = 2006 but the hangs is still here. Here is results of the command "id" with "strace" executed on single user m= ode: strace with ldap in nsswitch.conf: http://djdomics.free.fr/FreeBSD/strace-nss-w-ldap.txt strace without ldap in nsswitch.conf: http://djdomics.free.fr/FreeBSD/strace-nss-wo-ldap.txt With the strace file with ldap enabled in nsswitch.conf, I see that FreeBSD tries to search the ldap server, and of course it can't connect because is not yet started. > -- > Dan Nelson > dnelson@allantgroup.com > Regards. -- There's this old saying: "Give a man a fish, feed him for a day. Teach a man to fish, feed him for life."