FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-15-2010, 03:26 PM
"Prashanth Sundaram"
 
Default Debug PTA and PAM-PTA stack for ldap timeout

Hello,

We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
user is unable to ssh to random hosts at random times.

Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
secure logs: pam_ldap: ldap_result Timed out
Failed password for psundaram from 10.1.0.120 port 22039
ssh2


Sifting thru logs tell the user's password was successfully
authenticated upstream by looking at dirsrv access log with err=0. The
clients connecting to slave incur regular timeouts and the login fails
but it is not case with clients connecting to Master directly.

Setup: Two Masters with MMR, Two Slaves with MMR. The authentication for
clients connecting to the slave ldap server goes to the master via PTA
plugin and then from Master it goes to Windows AD via PAM-PTA.

Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
passwords are)

I understand we have might have a long traversal for the authentication,
but we have set considerably high timeout limits.

/etc/ldap.conf
timelimit 120
bind_timelimit 5
bind_policy hard
idle_timelimit 3600

slave ldap server
nsslapd-idletimeout: 86400
nsbindtimeout: 15
nsslapd-timelimit: 3600

Master ldap server
nsslapd-idletimeout: 7200
nsbindtimeout: 15
nsslapd-timelimit: 3600


Anybody had similar issue or can share some debugging tips?

-Prashanth

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-15-2010, 04:30 PM
Gerrard Geldenhuis
 
Default Debug PTA and PAM-PTA stack for ldap timeout

Hi Prashanth,
I have not seen similar issues but I would suggest adding a debug entry in PAM setup. This gives a lot of extra information.

Also since you are debugging disable log caching to enable you to see bind attempts immediately
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-logbuffering
nsslapd-accesslog-logbuffering: off

There is various other logging options which you can easily enable on the 389-console to increase decrease logging for specific actions.

Regards

> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
> bounces@lists.fedoraproject.org] On Behalf Of Prashanth Sundaram
> Sent: 15 September 2010 16:27
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Debug PTA and PAM-PTA stack for ldap timeout
>
> Hello,
>
> We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
> user is unable to ssh to random hosts at random times.
>
> Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
> secure logs: pam_ldap: ldap_result Timed out
> Failed password for psundaram from 10.1.0.120 port 22039
> ssh2
>
>
> Sifting thru logs tell the user's password was successfully
> authenticated upstream by looking at dirsrv access log with err=0. The
> clients connecting to slave incur regular timeouts and the login fails
> but it is not case with clients connecting to Master directly.
>
> Setup: Two Masters with MMR, Two Slaves with MMR. The authentication
> for
> clients connecting to the slave ldap server goes to the master via PTA
> plugin and then from Master it goes to Windows AD via PAM-PTA.
>
> Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
> passwords are)
>
> I understand we have might have a long traversal for the
> authentication,
> but we have set considerably high timeout limits.
>
> /etc/ldap.conf
> timelimit 120
> bind_timelimit 5
> bind_policy hard
> idle_timelimit 3600
>
> slave ldap server
> nsslapd-idletimeout: 86400
> nsbindtimeout: 15
> nsslapd-timelimit: 3600
>
> Master ldap server
> nsslapd-idletimeout: 7200
> nsbindtimeout: 15
> nsslapd-timelimit: 3600
>
>
> Anybody had similar issue or can share some debugging tips?
>
> -Prashanth
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org