#582 Error nscd: nss_ldap: could not search LDAP server - Server is unavailable
Closed: Invalid None by morpheus79. Opened 5 years ago by morpheus79.

Hello,

sometimes we receive the following error from the hosts using LDAP as account authentication system:

nscd: nss_ldap: could not search LDAP server - Server is unavailable

And we can't connect to the host with ssh. After 5 minutes tentatives the login is permeitted (it seems to be a time based race condition).

The LDAP server is configured as:

  • Multimaster (master with replication to a secondary)
  • Ldap configured to use protocol encrpyted with SSL on port 636
  • Host client using LDAP authentication: Red hat enterprise 4,5,6

I can attach other logs if needed.

[root@clientldap @local ~]# tail -f /var/log/messages
Feb 11 20:11:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 20:21:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 20:31:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 20:41:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 20:51:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 21:01:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 21:11:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 21:21:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 21:31:07 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 11 21:39:51 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable


What is going on with the directory server at this time? e.g. at the time of
Feb 11 21:39:51 clientldap nscd: nss_ldap: could not search LDAP server - Server is unavailable

Is the directory server down? Unreachable due to network issues? The directory server log files are in /var/log/dirsrv/slapd-INST - access and errors

Please provide more info

Hi,
thanks for your answer; I have attached the access logs.
For the error logs, I'm investigating, due to the fact that they are not present in the system.

Thanks.

In any case, we have no evidence of network outage or server problems when the condition occurs.

Below some information related to the LDAP server

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)

rpm -qa | grep -i 389-ds
389-ds-base-1.2.10.2-15.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-base-libs-1.2.10.2-15.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch

Hello, I looked into the extract_access.log you shared with us and noticed you constantly use the simple paged result search.
[11/Feb/2013:21:39:06 +0100] conn=11923 op=2 SRCH base="dc=domain,dc=local" scope=2 filter="(&(objectClass=posixGroup)(memberUid=naxos))" attrs="gidNumber"
[11/Feb/2013:21:39:06 +0100] conn=11923 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=P
[11/Feb/2013:21:39:06 +0100] conn=11923 op=-1 fd=70 closed - B1

And sometimes the connection is left open and closed by the server since it hits the idle timeout. (Note: T1 means SLAPD_DISCONNECT_IDLE_TIMEOUT).
[11/Feb/2013:21:39:13 +0100] conn=11898 op=-1 fd=68 closed error 11 (Resource temporarily unavailable) - T1
[11/Feb/2013:21:39:30 +0100] conn=11912 op=-1 fd=66 closed error 11 (Resource temporarily unavailable) - T1

Could it be possible to check the connection counts when the symptom "Server is unavailable" occurs next time?
$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <password> -b "cn=monitor" "(cn=*)" | egrep connections
currentconnections: 4
totalconnections: 19
connections: 34
connectionseq: 19

Have you had a chance to check for what was asked in comment #5 above?

Closing this ticket. Please reopen if there is still a issue and you have more information to provide.

Metadata Update from @nhosoi:
- Issue set to the milestone: N/A

2 years ago

Login to comment on this ticket.

Metadata