Status: 91 Mesg: openConnection: simple bind failed errors
807573Mar 6 2007 — edited Apr 30 2007I am seeing the following error messages in /var/adm/messages on a number of my Solaris 8 and Solaris 10 clients. However ldap users are still able to connect to these clients. I do have a cron job running on the LDAP servers at either 6:00am or 6:30am which does a daily backup of the LDAP database. I don't think this is a problem since i see these errors at all hours of the day.
The solaris 8 client is running kernel 108528-29 and ldap patch 108993-65. The LDAP servers are Solaris 10 (kernel 118833-24) and running DS 5.2 update 4.
contents of /var/adm/messages
Mar 5 22:01:45 dc1-uat-317.domain.com top[1361]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 22:01:45 dc1-uat-317.domain.com top[1361]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 15:41:10 dc1-uat-317.domain.com cron[3330]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Mar 5 15:41:10 dc1-uat-317.domain.com cron[3330]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
/usr/lib/ldap/ldap_cachemgr -g shows that the client can connect to the LDAP servers.
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 19409
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2007/03/06 09:34:46
Next refresh time: 2007/03/06 21:34:47
Server information:
Previous refresh time: 2007/03/06 14:14:47
Next refresh time: 2007/03/06 15:34:47
server: dc1-ldap-32.domain.com, status: UP
server: dc2-ldap-33.domain.com, status: UP
server: dc1-ldap-55.domain.com, status: UP
server: dc2-ldap-56.domain.com, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
The permissions under /var/ldap are as follows.
-rw-r--r-- 1 root other 13786 Mar 5 22:01 cachemgr.log
-rw-r--r-- 1 root other 204800 Feb 24 11:05 cert7.db
-rw-r--r-- 1 root other 32768 Feb 24 11:05 key3.db
-r-------- 1 root root 205 Mar 6 09:34 ldap_client_cred
-r-------- 1 root root 1609 Mar 6 09:34 ldap_client_file
-rw-r--r-- 1 root other 32768 May 9 2006 secmod.db
Contents of ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= dc1-ldap-32.domain.com, dc2-ldap-33.domain.com, dc1-ldap-55.domain.com, dc2-ldap-56.domain.com
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= dc1_prod_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=Netgroup,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=domain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=domain,dc=com
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou
NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry
NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject
Contents of ldap_client_cred
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecc423aad0fe2349fd13
Here is the contents of pam.conf and nsswitch.conf
# PAM configuration
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth requisite pam_authtok_get.so.1
rsh auth required pam_dhkeys.so.1
rsh auth required pam_ldap.so.1 use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1 use_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
#other account required pam_ldap.so.1 use_first_pass
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 nopass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#other password required pam_ldap.so.1 use_first_pass
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
ppp auth required pam_unix_auth.so.1
nsswitch.conf
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
shadow: files ldap
group: files ldap
netgroup: ldap
sudoers: files ldap
# consult /etc "files" only if ldap is down.
hosts: files
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
automount: ldap files
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
printers: user files nis nisplus xfn