Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Debug PTA and PAM-PTA stack for ldap timeout (http://www.linux-archive.org/fedora-directory/427448-debug-pta-pam-pta-stack-ldap-timeout.html)

"Prashanth Sundaram" 09-15-2010 03:26 PM

Debug PTA and PAM-PTA stack for ldap timeout
 
Hello,

We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
user is unable to ssh to random hosts at random times.

Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
secure logs: pam_ldap: ldap_result Timed out
Failed password for psundaram from 10.1.0.120 port 22039
ssh2


Sifting thru logs tell the user's password was successfully
authenticated upstream by looking at dirsrv access log with err=0. The
clients connecting to slave incur regular timeouts and the login fails
but it is not case with clients connecting to Master directly.

Setup: Two Masters with MMR, Two Slaves with MMR. The authentication for
clients connecting to the slave ldap server goes to the master via PTA
plugin and then from Master it goes to Windows AD via PAM-PTA.

Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
passwords are)

I understand we have might have a long traversal for the authentication,
but we have set considerably high timeout limits.

/etc/ldap.conf
timelimit 120
bind_timelimit 5
bind_policy hard
idle_timelimit 3600

slave ldap server
nsslapd-idletimeout: 86400
nsbindtimeout: 15
nsslapd-timelimit: 3600

Master ldap server
nsslapd-idletimeout: 7200
nsbindtimeout: 15
nsslapd-timelimit: 3600


Anybody had similar issue or can share some debugging tips?

-Prashanth

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 09-15-2010 04:30 PM

Debug PTA and PAM-PTA stack for ldap timeout
 
Hi Prashanth,
I have not seen similar issues but I would suggest adding a debug entry in PAM setup. This gives a lot of extra information.

Also since you are debugging disable log caching to enable you to see bind attempts immediately
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-logbuffering
nsslapd-accesslog-logbuffering: off

There is various other logging options which you can easily enable on the 389-console to increase decrease logging for specific actions.

Regards

> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
> bounces@lists.fedoraproject.org] On Behalf Of Prashanth Sundaram
> Sent: 15 September 2010 16:27
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Debug PTA and PAM-PTA stack for ldap timeout
>
> Hello,
>
> We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
> user is unable to ssh to random hosts at random times.
>
> Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
> secure logs: pam_ldap: ldap_result Timed out
> Failed password for psundaram from 10.1.0.120 port 22039
> ssh2
>
>
> Sifting thru logs tell the user's password was successfully
> authenticated upstream by looking at dirsrv access log with err=0. The
> clients connecting to slave incur regular timeouts and the login fails
> but it is not case with clients connecting to Master directly.
>
> Setup: Two Masters with MMR, Two Slaves with MMR. The authentication
> for
> clients connecting to the slave ldap server goes to the master via PTA
> plugin and then from Master it goes to Windows AD via PAM-PTA.
>
> Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
> passwords are)
>
> I understand we have might have a long traversal for the
> authentication,
> but we have set considerably high timeout limits.
>
> /etc/ldap.conf
> timelimit 120
> bind_timelimit 5
> bind_policy hard
> idle_timelimit 3600
>
> slave ldap server
> nsslapd-idletimeout: 86400
> nsbindtimeout: 15
> nsslapd-timelimit: 3600
>
> Master ldap server
> nsslapd-idletimeout: 7200
> nsbindtimeout: 15
> nsslapd-timelimit: 3600
>
>
> Anybody had similar issue or can share some debugging tips?
>
> -Prashanth
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 11:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.