You are not logged in.

#1 2018-02-08 19:51:05

hanslovsky
Member
Registered: 2013-11-16
Posts: 13

[SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

Update: astrapi solved this in post #4: https://bbs.archlinux.org/viewtopic.php … 9#p1766659

My workstation gets user information through ldap and nslcd. After a system update, nslcd startup fails (outputs of journalctl and systemctl status nslcd.service):

$ journalctl -xe -u nslcd.service


Feb 08 14:31:39 <hostname> systemd[1]: Starting Naming services LDAP client daemon....
-- Subject: Unit nslcd.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has begun starting up.
Feb 08 14:31:39 <hostname>nslcd[12120]: version 0.9.8 starting
Feb 08 14:31:44 <hostname> nslcd[12120]: accepting connections
Feb 08 14:31:44 <hostname> systemd[1]: nslcd.service: Permission denied while opening PID file or unsafe symlink chain: /var/run/nslcd/nslcd.pid
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 14:33:09 <hostname> nslcd[12120]: caught signal SIGTERM (15), shutting down
Feb 08 14:33:09 <hostname> nslcd[12120]: version 0.9.8 bailing out
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 14:33:09 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..
-- Subject: Unit nslcd.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has failed.
-- 
-- The result is RESULT.
$ systemctl status nslcd.service


● nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Thu 2018-02-08 14:33:09 EST; 2min 46s ago
  Process: 12118 ExecStart=/usr/bin/nslcd (code=exited, status=0/SUCCESS)

Feb 08 14:31:39 <hostname> systemd[1]: Starting Naming services LDAP client daemon....
Feb 08 14:31:39 <hostname> nslcd[12120]: version 0.9.8 starting
Feb 08 14:31:44 <hostname> nslcd[12120]: accepting connections
Feb 08 14:31:44 <hostname> systemd[1]: nslcd.service: Permission denied while opening PID file or unsafe symlink chain: /var/run/nslcd/nslcd.pid
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 14:33:09 <hostname> nslcd[12120]: caught signal SIGTERM (15), shutting down
Feb 08 14:33:09 <hostname> nslcd[12120]: version 0.9.8 bailing out
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 14:33:09 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..
$ cat nslcd.conf


# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://<uri>

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
base dc=<base>,dc=org

# Map home to "/home/$uid"
map passwd homeDirectory "/home/$uid"

# SSL options
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  member           msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  member           posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd homeDirectory "/home/$cn"
#map    passwd gecos         displayName
#map    passwd loginShell    "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  gidNumber        gid

I am at a loss here. Before updating the system, nslcd worked without any issues.

Last edited by hanslovsky (2018-02-09 07:06:14)

Offline

#2 2018-02-08 21:18:42

lo1
Member
Registered: 2017-09-25
Posts: 584

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

Before updating the system, nslcd worked without any issues.

...then posting your pacman log sounds reasonable, don't you agree? tongue

Offline

#3 2018-02-08 22:30:02

hanslovsky
Member
Registered: 2013-11-16
Posts: 13

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

Fair point. Do you mean /var/log/pacman.log by that? I pasted all log entries of 2018 on pastebin:
https://pastebin.com/ZuBUTtXn

Also, I did notice that, initially, nslcd seems to start up fine (hence I can log in) but then nslcd crashes after some time:

Feb 08 17:19:01 <hostname> nslcd[1042]: [495cff] <group="209"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:01 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:01 <hostname> nslcd[1042]: [68079a] <passwd(all)> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:01 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [495cff] <group="209"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [68079a] <passwd(all)> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:03 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [6afb66] <group/member="dummy"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [6afb66] <group/member="dummy"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [e45d32] <group/member="colord"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [e45d32] <group/member="colord"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [9b500d] <group/member="sddm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [9b500d] <group/member="sddm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [1bd7b7] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [1bd7b7] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [2dba31] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [2dba31] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:14 <hostname> nslcd[1042]: [83e458] <passwd="hanslovskyp"> connected to LDAP server ldap://<url>
Feb 08 17:20:04 <hostname> nslcd[1042]: [c6c33a] <passwd(all)> (re)loading /etc/nsswitch.conf
Feb 08 17:20:18 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 17:20:18 <hostname> nslcd[1042]: caught signal SIGTERM (15), shutting down
Feb 08 17:20:18 <hostname> nslcd[1042]: version 0.9.8 bailing out
Feb 08 17:20:18 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 17:20:18 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..
-- Subject: Unit nslcd.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has failed.
-- 
-- The result is RESULT.

Offline

#4 2018-02-09 06:12:03

astrapi
Member
Registered: 2018-02-09
Posts: 3

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

Offline

#5 2018-02-09 07:04:18

hanslovsky
Member
Registered: 2013-11-16
Posts: 13

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

astrapi wrote:

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

Great, that did the trick! Thanks a lot!

Offline

#6 2018-02-09 17:05:21

danitetus
Member
From: Spain
Registered: 2018-02-09
Posts: 2

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

astrapi wrote:

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

That did the trick for me too, but in the next boot, the permissions of "/var/run/nslcd" are for "nslcd:nslcd"

Offline

#7 2018-02-09 19:19:34

astrapi
Member
Registered: 2018-02-09
Posts: 3

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

add ExecStartPre=/bin/chown -R root:root /var/run/nslcd to /lib/systemd/system/nslcd.service

[Unit]
Description=Naming services LDAP client daemon.
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid
ExecStartPre=/bin/chown -R root:root /var/run/nslcd
ExecStart=/usr/bin/nslcd

[Install]
WantedBy=multi-user.target

Offline

#8 2018-02-09 19:21:58

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

Completely the wrong way to do that. Use systemd-tmpfiles or wait for the systemd fix.

Offline

#9 2018-02-09 19:32:43

astrapi
Member
Registered: 2018-02-09
Posts: 3

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

please describe the right way

Offline

#10 2018-02-09 19:34:16

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

I already did, use sysetmd-tmpfiles or wait for the systemd fix

Offline

#11 2018-02-09 22:01:07

danitetus
Member
From: Spain
Registered: 2018-02-09
Posts: 2

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

I've solved adding "User=nslcd" in /etc/systemd/system/nslcd.service

[Unit]
Description=Naming services LDAP client daemon.
After=syslog.target network.target

[Service]
User=nslcd
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid
ExecStart=/usr/bin/nslcd

[Install]
WantedBy=multi-user.target

I know that this is not the best solution, but I don't know how to use systemd-tmpfiles

Offline

#12 2018-02-09 22:44:12

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

The fix for most of these should already be in the systemd package in testing. Probably won't be long before it hits core

Offline

Board footer

Powered by FluxBB