HPE Community
Operating System - HP-UX
1753848 Members
8580 Online
108807 Solutions
New Discussion юеВ

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

 
SOLVED
Go to solution
Don Mallory
Trusted Contributor

тАО12-14-2009 05:37 AM

тАО12-14-2009 05:37 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

There appears to be nothing from the sshd -ddd, and both files look identical.

Were you able to do an ssh -vvv from the client perspective?

Do you have glance (OV Perf tools) installed, can you pull it up, find the process and select it (g to list all processes, s to select one in particular) It should be able to tell you what the process state is.
0 Kudos
Don Mallory
Trusted Contributor

тАО12-14-2009 05:41 AM

тАО12-14-2009 05:41 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Is there a reason that the home dir for the user is missing on the destination? If you have /etc/defaults/security set with "ABORT_LOGIN_ON_MISSING_HOMEDIR=1", the user would not be allowed to log in. This is a highly recommended security practice.


0 Kudos
dev44
Regular Advisor

тАО12-14-2009 06:05 AM

тАО12-14-2009 06:05 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi Don,

It happens with or without a home directory. I tried it both ways.
whatever
0 Kudos
Don Mallory
Trusted Contributor

тАО12-14-2009 08:34 AM

тАО12-14-2009 08:34 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi dev44,

I just meant that it seemed odd not to have a home dir. From a security perspective, it is highly recommended to have a home dir for each user, and disallow logins to users that it does not exist.

This type of thing doesn't tend to slow logins, it tends to prevent them entirely.

I think the ssh -vvv from the client and, as recommended by Bob, pam debug logging on the ssh items is the next step.

Don
0 Kudos
dev44
Regular Advisor

тАО12-14-2009 11:30 AM

тАО12-14-2009 11:30 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Oh, I see...sorry Don.
These are only test users, so we don't bother with the home directory because once it logs in the once, then it is fine. So another account has to be created for further testing. I will continue with the recommendations. Thanks
whatever
0 Kudos
Don Mallory
Trusted Contributor

тАО12-15-2009 07:56 AM

тАО12-15-2009 07:56 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Just so I'm sure I read that correctly, the first time >EVER< the account logs in, it's slow, anytime after, no matter length of time, it logs in fine.

Does a reboot, or restart of sshd, ldapclientd, pwgrd or anything else seem to have an impact?
0 Kudos
Don Mallory
Trusted Contributor

тАО12-15-2009 07:57 AM

тАО12-15-2009 07:57 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Can you enable event logging on the DC you are getting your LDAP from and review it from that perspective as well?
0 Kudos
Steven E. Protter
Exalted Contributor

тАО12-15-2009 08:49 AM

тАО12-15-2009 08:49 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Shalom,

I have now reached the conclusion that there is no problem with this system.

There probably is a patch for the server that will make this perform better, but a lot of things get checked for first time login and it might be best just to ignore the problem or look for an update for the LDAP server.

Do the basics such as make sure network traffic is flowing freely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
dev44
Regular Advisor

тАО12-16-2009 04:58 AM

тАО12-16-2009 04:58 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Sorry Don, I wasn't in yesterday.

Anyway, the AD folks watched it come in from their end and it came in for a second. So it seems to be on the HP end.

I know an initial login will take a little more time but 5 minutes is unacceptable. If there were network problems, they would show in subsequent logins. There are no network problems.
whatever
0 Kudos
Don Mallory
Trusted Contributor

тАО12-16-2009 05:18 AM

тАО12-16-2009 05:18 AM

Re: LDAP-UX: First ldap login takes about 5 minutes, others are fine

Hi dev44,

No problem. So we need the PAM debug log (just add " debug" to the end of every pam line in your /etc/pam.conf, in /etc/syslog.conf, add a *.debug entry to an output file (don't forget that whitespace must be TAB), touch the file, then kill -HUP your syslogd.

And we also need the ssh -vvv from the client.

Is the response the same for other login methods other than ssh? (can you temporarily turn on telnet for example?), does restarting pwgrd, ldapclientd, sshd, or rebooting the host have an impact on previously working users?

Don
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.