[SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

hanslovsky · 2018-02-08 19:51:05

Update: astrapi solved this in post #4: https://bbs.archlinux.org/viewtopic.php … 9#p1766659

My workstation gets user information through ldap and nslcd. After a system update, nslcd startup fails (outputs of journalctl and systemctl status nslcd.service):

$ journalctl -xe -u nslcd.service


Feb 08 14:31:39 <hostname> systemd[1]: Starting Naming services LDAP client daemon....
-- Subject: Unit nslcd.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has begun starting up.
Feb 08 14:31:39 <hostname>nslcd[12120]: version 0.9.8 starting
Feb 08 14:31:44 <hostname> nslcd[12120]: accepting connections
Feb 08 14:31:44 <hostname> systemd[1]: nslcd.service: Permission denied while opening PID file or unsafe symlink chain: /var/run/nslcd/nslcd.pid
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 14:33:09 <hostname> nslcd[12120]: caught signal SIGTERM (15), shutting down
Feb 08 14:33:09 <hostname> nslcd[12120]: version 0.9.8 bailing out
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 14:33:09 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..
-- Subject: Unit nslcd.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has failed.
-- 
-- The result is RESULT.

$ systemctl status nslcd.service


● nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Thu 2018-02-08 14:33:09 EST; 2min 46s ago
  Process: 12118 ExecStart=/usr/bin/nslcd (code=exited, status=0/SUCCESS)

Feb 08 14:31:39 <hostname> systemd[1]: Starting Naming services LDAP client daemon....
Feb 08 14:31:39 <hostname> nslcd[12120]: version 0.9.8 starting
Feb 08 14:31:44 <hostname> nslcd[12120]: accepting connections
Feb 08 14:31:44 <hostname> systemd[1]: nslcd.service: Permission denied while opening PID file or unsafe symlink chain: /var/run/nslcd/nslcd.pid
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 14:33:09 <hostname> nslcd[12120]: caught signal SIGTERM (15), shutting down
Feb 08 14:33:09 <hostname> nslcd[12120]: version 0.9.8 bailing out
Feb 08 14:33:09 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 14:33:09 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..

$ cat nslcd.conf


# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://<uri>

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
base dc=<base>,dc=org

# Map home to "/home/$uid"
map passwd homeDirectory "/home/$uid"

# SSL options
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  member           msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  member           posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd homeDirectory "/home/$cn"
#map    passwd gecos         displayName
#map    passwd loginShell    "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  gidNumber        gid

I am at a loss here. Before updating the system, nslcd worked without any issues.

Last edited by hanslovsky (2018-02-09 07:06:14)

lo1 · 2018-02-08 21:18:42

Before updating the system, nslcd worked without any issues.

...then posting your pacman log sounds reasonable, don't you agree?

hanslovsky · 2018-02-08 22:30:02

Fair point. Do you mean /var/log/pacman.log by that? I pasted all log entries of 2018 on pastebin:
https://pastebin.com/ZuBUTtXn

Also, I did notice that, initially, nslcd seems to start up fine (hence I can log in) but then nslcd crashes after some time:

Feb 08 17:19:01 <hostname> nslcd[1042]: [495cff] <group="209"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:01 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:01 <hostname> nslcd[1042]: [68079a] <passwd(all)> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:01 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [495cff] <group="209"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:02 <hostname> nslcd[1042]: [68079a] <passwd(all)> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:02 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found, sleeping 1 seconds
Feb 08 17:19:03 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> failed to bind to LDAP server ldap://<url>: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [b0dc51] <passwd="hanslovskyp"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [6afb66] <group/member="dummy"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [6afb66] <group/member="dummy"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [8b4567] <group/member="nslcd"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [495cff] <group="209"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [e45d32] <group/member="colord"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [e45d32] <group/member="colord"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:03 <hostname> nslcd[1042]: [68079a] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [9b500d] <group/member="sddm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [9b500d] <group/member="sddm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [1bd7b7] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [1bd7b7] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [2dba31] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:04 <hostname> nslcd[1042]: [2dba31] <group/member="cups"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Feb 08 17:19:14 <hostname> nslcd[1042]: [83e458] <passwd="hanslovskyp"> connected to LDAP server ldap://<url>
Feb 08 17:20:04 <hostname> nslcd[1042]: [c6c33a] <passwd(all)> (re)loading /etc/nsswitch.conf
Feb 08 17:20:18 <hostname> systemd[1]: nslcd.service: Start operation timed out. Terminating.
Feb 08 17:20:18 <hostname> nslcd[1042]: caught signal SIGTERM (15), shutting down
Feb 08 17:20:18 <hostname> nslcd[1042]: version 0.9.8 bailing out
Feb 08 17:20:18 <hostname> systemd[1]: nslcd.service: Failed with result 'timeout'.
Feb 08 17:20:18 <hostname> systemd[1]: Failed to start Naming services LDAP client daemon..
-- Subject: Unit nslcd.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nslcd.service has failed.
-- 
-- The result is RESULT.

astrapi · 2018-02-09 06:12:03

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

hanslovsky · 2018-02-09 07:04:18

astrapi wrote:

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

Great, that did the trick! Thanks a lot!

danitetus · 2018-02-09 17:05:21

astrapi wrote:

change the permissions of "/var/run/nslcd" from "nslcd:nslcd" to "root:root"

That did the trick for me too, but in the next boot, the permissions of "/var/run/nslcd" are for "nslcd:nslcd"

astrapi · 2018-02-09 19:19:34

add ExecStartPre=/bin/chown -R root:root /var/run/nslcd to /lib/systemd/system/nslcd.service

[Unit]
Description=Naming services LDAP client daemon.
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid
ExecStartPre=/bin/chown -R root:root /var/run/nslcd
ExecStart=/usr/bin/nslcd

[Install]
WantedBy=multi-user.target

Scimmia · 2018-02-09 19:21:58

Completely the wrong way to do that. Use systemd-tmpfiles or wait for the systemd fix.

astrapi · 2018-02-09 19:32:43

please describe the right way

Scimmia · 2018-02-09 19:34:16

I already did, use sysetmd-tmpfiles or wait for the systemd fix

danitetus · 2018-02-09 22:01:07

I've solved adding "User=nslcd" in /etc/systemd/system/nslcd.service

[Unit]
Description=Naming services LDAP client daemon.
After=syslog.target network.target

[Service]
User=nslcd
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid
ExecStart=/usr/bin/nslcd

[Install]
WantedBy=multi-user.target

I know that this is not the best solution, but I don't know how to use systemd-tmpfiles

Scimmia · 2018-02-09 22:44:12

The fix for most of these should already be in the systemd package in testing. Probably won't be long before it hits core

Arch Linux

#1 2018-02-08 19:51:05

[SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#2 2018-02-08 21:18:42

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#3 2018-02-08 22:30:02

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#4 2018-02-09 06:12:03

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#5 2018-02-09 07:04:18

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#6 2018-02-09 17:05:21

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#7 2018-02-09 19:19:34

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#8 2018-02-09 19:21:58

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#9 2018-02-09 19:32:43

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#10 2018-02-09 19:34:16

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#11 2018-02-09 22:01:07

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

#12 2018-02-09 22:44:12

Re: [SOLVED] nslcd: Permission to /var/run/nslcd/nslcd.pid denied

Board footer