On Jul 19, 2011, at 4:29 PM, ychen wrote: > Hi, > > I installed the puppet server on a CentOS 5 box a while back. That box > is configured to authenticate users based on data stored in our > OpenLDAP server. Today I rebooted the box and found that puppetmasterd > wasn't able to start because the LDAP server went down due to recent > power outage. > > I checked the configuration settings of the puppet server in /etc/ > puppet folder and didn't find anything that would make the puppet > server aware of our LDAP server. > > In our logs, I saw the following: > 2011-07-19T18:07:30-05:00 <daemon.info> puppet puppetmasterd[1292]: > nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... > 2011-07-19T18:07:34-05:00 <daemon.info> puppet > puppetmasterd[1292]: nss_ldap: reconnected to LDAP server ldap://ldap.xxxx.com > after 2 attempts > > So how can the puppet server be aware of the LDAP server anyway? How > can I disable it? Thanks.
Probably, Puppet isn't directly aware of your LDAP server. It is however using standard NSS lookup system calls which refers to ldap in /etc/nsswitch.conf and so is trying to reach LDAP for queries on passwd, group, or host lookups (or one of the other NSS DBs, but those are most common). You can also reduce the timeouts for how long NSS tries LDAP if puppet is giving up some system call because it's taking to long. Or it's not timing out (well, NSS would be giving up on LDAP; not a timeout of Puppet waiting for NSS), and it's actually the failure of NSS to reach LDAP that is causing the issue (like if Puppet is trying to switch to run as a user whom is stored in LDAP). You should get a redundant LDAP setup as well as monitor whether your authentication system is up. Or keep LDAP off certain critical servers, like the LDAP boxes themselves, administrative jump-hosts, or your Puppet server. Oh, and don't forget to be running nscd (though that won't help you on system boot). Eric -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
