I'm testing the 389 directory server in our lab environment before
moving it to production and have noticed that occasionally it won't
let me log in. I have to restart the nscd service before it will
authenticate my user. Here's the error in /var/log/secure:

Mar 22 09:59:31 watcher sshd[18109]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.2.3.100 user=scarolan
Mar 22 09:59:31 watcher sshd[18109]: pam_ldap: error trying to bind as
user "uid=scarolan,ou=People, dc=companyname, dc=com" (Invalid
credentials)

Has anyone else experienced something like this? Any idea what causes
it? I want to make sure our LDAP authentication is rock-solid
reliable before moving it into the production environment.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Yes, nscd is both a blessing and a curse...we've found the default settings for it be problematic.
Check your nscd.conf file and `man nscd.conf`. *Pay special attention to these values:


** *paranoia * * * * yes
** *positive-time-to-live * passwd * * *120** *negative-time-to-live * passwd * * *2
** *persistent * * * passwd * * *no
** *positive-time-to-live * group * * * 120** *negative-time-to-live * group * * * 2
** *persistent * * * group * * * no

On Mon, Mar 22, 2010 at 8:01 AM, Sean Carolan <scarolan@gmail.com> wrote:


I'm testing the 389 directory server in our lab environment before

moving it to production and have noticed that occasionally it won't

let me log in. *I have to restart the nscd service before it will

authenticate my user. *Here's the error in /var/log/secure:



Mar 22 09:59:31 watcher sshd[18109]: pam_unix(sshd:auth):

authentication failure; logname= uid=0 euid=0 tty=ssh ruser=

rhost=10.2.3.100 *user=scarolan

Mar 22 09:59:31 watcher sshd[18109]: pam_ldap: error trying to bind as

user "uid=scarolan,ou=People, dc=companyname, dc=com" (Invalid

credentials)



Has anyone else experienced something like this? *Any idea what causes

it? *I want to make sure our LDAP authentication is rock-solid

reliable before moving it into the production environment.

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Hi Sean!

On Mon, 22 Mar 2010, Sean Carolan wrote:

> I'm testing the 389 directory server in our lab environment before
> moving it to production and have noticed that occasionally it won't
> let me log in. I have to restart the nscd service before it will
> authenticate my user. Here's the error in /var/log/secure:
>
> Mar 22 09:59:31 watcher sshd[18109]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.2.3.100 user=scarolan
> Mar 22 09:59:31 watcher sshd[18109]: pam_ldap: error trying to bind as
> user "uid=scarolan,ou=People, dc=companyname, dc=com" (Invalid
> credentials)
>
> Has anyone else experienced something like this? Any idea what causes
> it? I want to make sure our LDAP authentication is rock-solid
> reliable before moving it into the production environment.

What version(s) of nscd are you running?
What OS/Distribution(s) are you running it on?
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

> Hi Sean!
> What version(s) of nscd are you running?
> What OS/Distribution(s) are you running it on?

Hi Patrick:

We're running CentOS 5, with nscd version 2.5-34.el5_3.1

I just set our config to "paranoid yes" to see if that helps.

thanks

Sean
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users