Status: 91 Mesg: openConnection: simple bind failed errors
I am seeing the following error messages in /var/adm/messages on a number of my Solaris 8 and Solaris 10 clients. However ldap users are still able to connect to these clients. I do have a cron job running on the LDAP servers at either 6:00am or 6:30am which does a daily backup of the LDAP database. I don't think this is a problem since i see these errors at all hours of the day.
The solaris 8 client is running kernel 108528-29 and ldap patch 108993-65. The LDAP servers are Solaris 10 (kernel 118833-24) and running DS 5.2 update 4.
contents of /var/adm/messages
Mar 5 22:01:45 dc1-uat-317.domain.com top[1361]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 22:01:45 dc1-uat-317.domain.com top[1361]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 15:41:10 dc1-uat-317.domain.com cron[3330]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 15:41:10 dc1-uat-317.domain.com cron[3330]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
/usr/lib/ldap/ldap_cachemgr -g shows that the client can connect to the LDAP servers.
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr19409
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2007/03/06 09:34:46
Next refresh time:2007/03/06 21:34:47
Server information:
Previous refresh time: 2007/03/06 14:14:47
Next refresh time:2007/03/06 15:34:47
server: dc1-ldap-32.domain.com, status: UP
server: dc2-ldap-33.domain.com, status: UP
server: dc1-ldap-55.domain.com, status: UP
server: dc2-ldap-56.domain.com, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
The permissions under /var/ldap are as follows.
-rw-r--r--1 rootother13786 Mar 5 22:01 cachemgr.log
-rw-r--r--1 rootother204800 Feb 24 11:05 cert7.db
-rw-r--r--1 rootother32768 Feb 24 11:05 key3.db
-r--1 rootroot 205 Mar 6 09:34 ldap_client_cred
-r--1 rootroot1609 Mar 6 09:34 ldap_client_file
-rw-r--r--1 rootother32768 May 9 2006 secmod.db
Contents of ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= dc1-ldap-32.domain.com, dc2-ldap-33.domain.com, dc1-ldap-55.domain.com, dc2-ldap-56.domain.com
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= dc1_prod_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=Netgroup,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=domain,dc=com
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou
NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry
NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject
Contents of ldap_client_cred
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecc423aad0fe2349fd13
Here is the contents of pam.conf and nsswitch.conf
# PAM configuration
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login authrequisite pam_authtok_get.so.1
login authrequired pam_dhkeys.so.1
login authrequired pam_dial_auth.so.1
login authbindingpam_unix_auth.so.1 server_policy
login authrequired pam_ldap.so.1 use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin authsufficient pam_rhosts_auth.so.1
rlogin authrequisite pam_authtok_get.so.1
rlogin authrequiredpam_dhkeys.so.1
rlogin authbindingpam_unix_auth.so.1 server_policy
rlogin authrequiredpam_ldap.so.1 use_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth requisite pam_authtok_get.so.1
rsh auth required pam_dhkeys.so.1
rsh auth required pam_ldap.so.1 use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
pppauth requisite pam_authtok_get.so.1
pppauth requiredpam_dhkeys.so.1
pppauth requiredpam_dial_auth.so.1
pppauth bindingpam_unix_auth.so.1 server_policy
pppauth requiredpam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
otherauth requisite pam_authtok_get.so.1
otherauth requiredpam_dhkeys.so.1
otherauth bindingpam_unix_auth.so.1 server_policy
otherauth requiredpam_ldap.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd authbindingpam_passwd_auth.so.1 server_policy
passwd authrequired pam_ldap.so.1 use_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cronaccount requiredpam_projects.so.1
cronaccount requiredpam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
#other account required pam_ldap.so.1 use_first_pass
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account bindingpam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 nopass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
othersession requiredpam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#other password required pam_ldap.so.1 use_first_pass
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optionalpam_krb5.so.1 try_first_pass
#login auth optionalpam_krb5.so.1 try_first_pass
#other auth optionalpam_krb5.so.1 try_first_pass
#cronaccount optionalpam_krb5.so.1
#other account optionalpam_krb5.so.1
#other session optionalpam_krb5.so.1
#other password optionalpam_krb5.so.1 try_first_pass
pppauth requiredpam_unix_auth.so.1
nsswitch.conf
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:files ldap
shadow:files ldap
group:files ldap
netgroup:ldap
sudoers:files ldap
# consult /etc "files" only if ldap is down.
hosts:files
ipnodes:files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:ldap [NOTFOUND=return] files
networks:files
protocols: files
rpc:files
ethers:files
netmasks:files
bootparams: files
publickey: files
automount: ldap files
aliases:files ldap
# for efficient getservbyname() avoid ldap
services:files ldap
sendmailvars:files
auth_attr: files ldap
prof_attr: files ldap
project:files ldap
printers:user files nis nisplus xfn
