# slapd startup tries to bind to local LDAP server

## mikecrowe

Hi folks,

This is driving me nuts.  I'm trying to get LDAP up, and can mostly get there.  I've been following http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap3 and some others.  I have gotten to the point where ldap is coming up and seems to be working well.  

However, I'm at the instructions where I'm supposed to change nsswitch.conf to:

 *Quote:*   

> passwd:         files ldap
> 
> group:          files ldap
> 
> shadow:         files ldap

 

If I do this, I get the following in my /var/log/messages:

 *Quote:*   

> Aug  3 20:46:04 fileserver slapd[30006]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
> 
> Aug  3 20:46:04 fileserver slapd[30006]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
> 
> Aug  3 20:46:05 fileserver slapd[30006]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
> ...

 

If I leave the "..ldap" off of the lines in nsswitch.conf, it works fine.  What am I missing here?

Here's versions I'm using:

 *Quote:*   

> * net-nds/openldap
> 
>      Available versions:  2.1.30-r2 2.1.30-r5 2.1.30-r6 2.1.30-r7 2.2.23-r1 2.2.28-r3 2.2.28-r4 2.3.21 2.3.21-r1 2.3.23 2.3.24-r1 2.3.24-r2
> 
>      Installed:           2.3.24-r2
> ...

 

TIA

Mike

----------

## hifi

hi!

I've got the same problem 

try to add these lines 

```

nss_reconnect_tries 0

nss_reconnect_sleeptime 1

nss_reconnect_maxconntries 4

```

in /etc/ldap.conf and /etc/openldap/ldap.conf

----------

## miraage

I faced a similar issue when I used LDAP for authentication.

It is caused by some init script trying to do something as a user or a group that's not in your local files auth config (/etc/passwd and /etc/group). So pam asks LDAP to authenticate. At this point in the init cycle, LDAP isn't started yet, so of course nss_ldap times out. 

You might add the missing user/group to your local config. Reducing timeout doesn't really resolve the issue.

----------

## hifi

Hi,

 *miraage wrote:*   

> I faced a similar issue when I used LDAP for authentication.
> 
> It is caused by some init script trying to do something as a user or a group that's not in your local files auth config (/etc/passwd and /etc/group). So pam asks LDAP to authenticate. At this point in the init cycle, LDAP isn't started yet, so of course nss_ldap times out. 
> 
> 

 

That's corret.

 *Quote:*   

> 
> 
> You might add the missing user/group to your local config. Reducing timeout doesn't really resolve the issue.

 

This won't help. The ldap user and group are local. But nss_ldap tries to connect within the userswitch.

My lines I posted will force nss_ldap not to wait too long and not to do multiple retries. (Which should be no problem in a lan, and of course not on a local machine) And so openldap starts again.

c Robert

----------

## frawau

Hi,

When I had that problem, I found the following solution somewhere on the Net

Add

```

# Just assume that there are no supplemental groups for these named users

nss_initgroups_ignoreusers root,ldap

```

To /etc/ldap.conf

Problem solved.... for me anyway.

Cheers,

     François

----------

## whitetux

Thank you frawau! I was pulling my hair out with this one. I could tell the that slapd couldnt start because the nss was trying to bind to itself to authenticate. A vicious cycle. Anyways your line solved it.

They need to include that in the Gentoo Linux Documentation: LDAP Authentication. That is for sure going to get a lot of people. To assist searches I was receiving 

```

slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

slapd nss_ldap: failed to bind to LDAP server ldaps://localhost: Can't contact LDAP server

slapd nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
```

fixed with frawau's comment 

/etc/ldap.conf

```
# Just assume that there are no supplemental groups for these named users

nss_initgroups_ignoreusers root,ldap

```

----------

## drescherjm

 *Quote:*   

> nss_initgroups_ignoreusers root,ldap 

 

Looks very promising. I will try that when I get to work...

[EDIT]This appears to have fixed my problem as well.

BTW, There is a little more explanation of the problem here:

http://www.nabble.com/problem-to-startup-slapd-with-nss-enabled-and-local-ldap-server-t2501548.html

[/EDIT]

----------

