HPE Community
Operating System - HP-UX
1752793 Members
6387 Online
108789 Solutions
New Discussion юеВ

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

 
SOLVED
Go to solution
dev44
Regular Advisor

тАО12-09-2009 07:33 AM

тАО12-09-2009 07:33 AM

LDAP-UX: First ldap login takes about 5 minutes, others are fine

I have ldap-ux client running on my hpux 11.31 system. I am able to login to the various ldap accounts setup for testing on the AD. The only curious thing, is that the first login takes like 5 minutes. All consecutive logins to the same account are immediate. Any ideas why the first would take so long?
whatever
0 Kudos
25 REPLIES 25
Eckle
Occasional Advisor

тАО12-09-2009 08:38 AM

тАО12-09-2009 08:38 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi dev44,

I had such same troubles some days ago on my recent HP-UX 11.31 box...
For me it has to do with the ldapclientd daemon which was in DEBUG mode... (Disabling it solve me problem)

1. Perhaps check this on you server:
http://www.docs.hp.com/en/J4269-90041/ch04s14.html

2. Are you on the last Version of LDAP-UX : 4.20?
(swlist -l product |grep LDAP-UX)

3. You can try to disable the "passwd cache" when starting ldapclientd: /opt/ldapux/bin/ldapclientd -D passwd
By careful that this is one "one-shot" action... to modify it definitely You must change the "rc-file" /sbin/init.d/ldapclientd.rc...

The last thing I can suggest is to tune the ldapclientd process through tusc.

Good Luck.
0 Kudos
dev44
Regular Advisor

тАО12-09-2009 11:50 AM

тАО12-09-2009 11:50 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

I captured the attached when trying to login to a new account that took 5 minutes. Anyone want to take a crack at it, I would appreciate it.

whatever
0 Kudos
dev44
Regular Advisor

тАО12-09-2009 11:52 AM

тАО12-09-2009 11:52 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Thanks for the reply Eckle....they are in short supply these days it seems ;)

Anyway, I was in INFO mode...

I think it might have to do with my pam.conf but I am not sure.

I will give you 10 points for your help once I can solve this.

Thanks again...
whatever
0 Kudos
dev44
Regular Advisor

тАО12-10-2009 05:41 AM

тАО12-10-2009 05:41 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Somebody?
Anybody?????
whatever
0 Kudos
Don Mallory
Trusted Contributor

тАО12-10-2009 08:29 AM

тАО12-10-2009 08:29 AM

Solution

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi dev44,

What does the output look like once you have logged in once? That's neat that it sits for 4 minutes doing nothing form 14:35 to 14:39.

Can you send the output of an sshd -ddd on the server side and ssh -vvv on the client side as well?

You don't happen to have the pwgrd daemon off do you? (password & group caching daemon.) It's not technically required, but works in conjunction with the ldapclientd caching.

Just out of curiosity, your primary ldap server is available, right? You can have up to three ldap servers listed in the ldapuxprofile, but what they don't tell you is that EVERY query goes to the 1st, then the 2nd, then the 3rd, regardless of whether the 1st or 2nd were down on the last request. If you used DNS names, it will also attempt to resolve each one, with a 10 second timeout per DNS request. So, you can see that if your DNS is down, and/or your LDAP server is down, or worse, your primary LDAP server is your DNS server (been there), you could end up with VERY long login times.

Don
0 Kudos
dev44
Regular Advisor

тАО12-10-2009 10:00 AM

тАО12-10-2009 10:00 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi Don, thanks for the reply....

So pwgrd is running, and we only have the one DC listed in the profile.

I will try and get that sshd -ddd and ssh -ww info for you.

whatever
0 Kudos
dev44
Regular Advisor

тАО12-10-2009 10:25 AM

тАО12-10-2009 10:25 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

I attached two files....login.slow, is the inital login which takes 5 minutes. The file login.quick represents all subsequent logins.
whatever
0 Kudos
dev44
Regular Advisor

тАО12-10-2009 10:27 AM

тАО12-10-2009 10:27 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Here is the login.slow file
whatever
0 Kudos
Bob Neal-Joslin
Trusted Contributor

тАО12-10-2009 10:27 AM

тАО12-10-2009 10:27 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

From the trace, it does appear that LDAP-UX is able to query the directory server quickly. The delay seems to occur after the first searches have completed and before the later ones have started.

I think the recommendation for debug output from sshd is a good idea, to see where it thinks things are hanging up. If it's in PAM, then you can turn on PAM debugging using:

1. Configure syslog:
save a backup copy of syslog.conf, then
add this line to /etc/syslog.conf
*.debug /var/adm/syslog/syslog.log
note: this requires tab characters like the other entries

2. Turn on debug in pam module(s):
save a backup copy of /etc/pam.conf, then
add "debug" to the end of each entry in /etc/pam.conf; e.g
sshd account required /usr/lib/security/libpam_unix.1 debug
(actually, you could do just the lines you care about)

3. turn on libpam debug: touch /etc/pam_debug

4. start syslog daemon: /sbin/init.d/syslogd start

5. do tests to generate pam syslog debug info in
/var/adm/syslog/syslog.log

6. cleanup
/sbin/init.d/syslogd stop
rm /etc/pam_debug
restore /etc/pam.conf and /etc/syslog.conf
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.