I have not seen similar issues but I would suggest adding a debug entry in PAM setup. This
gives a lot of extra information.
Also since you are debugging disable log caching to enable you to see bind attempts
There is various other logging options which you can easily enable on the 389-console to
increase decrease logging for specific actions.
From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-
bounces(a)lists.fedoraproject.org] On Behalf Of Prashanth Sundaram
Sent: 15 September 2010 16:27
Subject: [389-users] Debug PTA and PAM-PTA stack for ldap timeout
We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A
user is unable to ssh to random hosts at random times.
Terminal Error: Permission denied (publickey,gssapi-with-mic,password)
secure logs: pam_ldap: ldap_result Timed out
Failed password for psundaram from 10.1.0.120 port 22039
Sifting thru logs tell the user's password was successfully
authenticated upstream by looking at dirsrv access log with err=0. The
clients connecting to slave incur regular timeouts and the login fails
but it is not case with clients connecting to Master directly.
Setup: Two Masters with MMR, Two Slaves with MMR. The authentication
clients connecting to the slave ldap server goes to the master via PTA
plugin and then from Master it goes to Windows AD via PAM-PTA.
Client----->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all
I understand we have might have a long traversal for the
but we have set considerably high timeout limits.
slave ldap server
Master ldap server
Anybody had similar issue or can share some debugging tips?
389 users mailing list
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.