We do not see these issues as compliant or not, just some items that we have seen that caused us to pause.

Server closing connection socket error = -5871#

We see this error on eDirectory and have seen several suggestions as to why, but we do not think the issue is resolved or even correctly diagnosed.

If we look at a search from Novell ldapsearch utility as:

ldapsearch -h francis.willeke.com -b ou=Group,dc=willeke,dc=com -D cn=proxy,ou=administration,dc=willeke,dc=com -W "(&(objectclass=posixGroup))" cn userPassword memberUid member gidNumber

francis:~ # ldapsearch -h francis.willeke.com -b ou=Group,dc=willeke,dc=com -D cn=proxy,ou=administration,dc=willeke,dc=com -W "(&(objectclass=posixGroup))" cn userPassword memberUid member gidNumber
Enter LDAP Password:
version: 1

#
# filter: (&(objectclass=posixGroup))
# requesting: cn userPassword memberUid member gidNumber
#

# media,group,willeke,com
dn: cn=media,ou=group,dc=willeke,dc=com
gidNumber: 1004
member: cn=eric,ou=butler,ou=people,dc=willeke,dc=com
member: cn=Heather,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jen,ou=butler,ou=people,dc=willeke,dc=com
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=Matt,ou=butler,ou=people,dc=willeke,dc=com
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=TV,ou=butler,ou=people,dc=willeke,dc=com

# wwwAdmin:,group,willeke,com
dn: cn=wwwAdmin:,ou=group,dc=willeke,dc=com
gidNumber: 1002

# webrun,group,willeke,com
dn: cn=webrun,ou=group,dc=willeke,dc=com
gidNumber: 1002

# svnusers,group,willeke,com
dn: cn=svnusers,ou=group,dc=willeke,dc=com
gidNumber: 1005
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=svn,ou=butler,ou=people,dc=willeke,dc=com
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com

# users,group,willeke,com
dn: cn=users,ou=group,dc=willeke,dc=com
gidNumber: 1003
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com
member: cn=eric,ou=butler,ou=people,dc=willeke,dc=com
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=svn,ou=butler,ou=people,dc=willeke,dc=com

# search result
# search: 2
# result: 0 Success

# numResponses: 6
# numEntries: 5


SERVER TRACE:

09:55:44 B62E5BA0 LDAP: New cleartext connection 0x979a000 from 192.168.1.4:38484, monitor = 0xb5ee1ba0, index = 6
09:55:44 B71F4BA0 LDAP: (192.168.1.4:38484)(0x0001:0x60) DoBind on connection 0x979a000
09:55:44 B71F4BA0 LDAP: (192.168.1.4:38484)(0x0001:0x60) Bind name:cn=proxy,ou=administration,dc=willeke,dc=com, version:3, authentication:simple
09:55:44 B71F4BA0 LDAP: (192.168.1.4:38484)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) DoSearch on connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Search request:
   base: "ou=Group,dc=willeke,dc=com"
   scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(&(objectclass=posixGroup))"
   attribute: "cn"
   attribute: "userPassword"
   attribute: "memberUid"
   attribute: "member"
   attribute: "gidNumber"
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending search result entry "cn=media,ou=group,dc=willeke,dc=com" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending search result entry "cn=wwwAdmin:,ou=group,dc=willeke,dc=com" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending search result entry "cn=webrun,ou=group,dc=willeke,dc=com" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending search result entry "cn=svnusers,ou=group,dc=willeke,dc=com" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending search result entry "cn=users,ou=group,dc=willeke,dc=com" to connection 0x979a000
09:55:44 ACCE9BA0 LDAP: (192.168.1.4:38484)(0x0002:0x63) Sending operation result 0:"":"" to connection 0x979a000
09:55:44 A84E6BA0 LDAP: (192.168.1.4:38484)(0x0003:0x42) DoUnbind on connection 0x979a000
09:55:44 A84E6BA0 LDAP: Connection 0x979a000 closed

NOTICE No Error

However if we use the openLDAP ldapsearch utility:

/usr/bin/ldapsearch -x -h francis.willeke.com -b ou=Group,dc=willeke,dc=com -D cn=proxy,ou=administration,dc=willeke,dc=com -W '(&(objectclass=posixGroup))' cn userPassword memberUid member gidNumber
Enter LDAP Password:

# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=willeke,dc=com> with scope subtree
# filter: (&(objectclass=posixGroup))
# requesting: cn userPassword memberUid member gidNumber
#

# media, group, willeke.com
dn: cn=media,ou=group,dc=willeke,dc=com
gidNumber: 1004
member: cn=eric,ou=butler,ou=people,dc=willeke,dc=com
member: cn=Heather,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jen,ou=butler,ou=people,dc=willeke,dc=com
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=Matt,ou=butler,ou=people,dc=willeke,dc=com
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=TV,ou=butler,ou=people,dc=willeke,dc=com

# wwwAdmin:, group, willeke.com
dn: cn=wwwAdmin:,ou=group,dc=willeke,dc=com
gidNumber: 1002

# webrun, group, willeke.com
dn: cn=webrun,ou=group,dc=willeke,dc=com
gidNumber: 1002

# svnusers, group, willeke.com
dn: cn=svnusers,ou=group,dc=willeke,dc=com
gidNumber: 1005
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=svn,ou=butler,ou=people,dc=willeke,dc=com
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com

# users, group, willeke.com
dn: cn=users,ou=group,dc=willeke,dc=com
gidNumber: 1003
member: cn=molly,ou=butler,ou=people,dc=willeke,dc=com
member: cn=jim,ou=butler,ou=people,dc=willeke,dc=com
member: cn=eric,ou=butler,ou=people,dc=willeke,dc=com
member: cn=scott,ou=butler,ou=people,dc=willeke,dc=com
member: cn=svn,ou=butler,ou=people,dc=willeke,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5


SERVER TRACE:

10:15:48 B62E5BA0 LDAP: New cleartext connection 0x979a000 from 192.168.1.4:32796, monitor = 0xb5ee1ba0, index = 6
10:15:48 B5ADDBA0 LDAP: (192.168.1.4:32796)(0x0001:0x60) DoBind on connection 0x979a000
10:15:48 B5ADDBA0 LDAP: (192.168.1.4:32796)(0x0001:0x60) Bind name:cn=proxy,ou=administration,dc=willeke,dc=com, version:3, authentication:simple
10:15:48 B5ADDBA0 LDAP: (192.168.1.4:32796)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) DoSearch on connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Search request:
   base: "ou=Group,dc=willeke,dc=com"
   scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(&(objectclass=posixGroup))"
   attribute: "cn"
   attribute: "userPassword"
   attribute: "memberUid"
   attribute: "member"
   attribute: "gidNumber"
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending search result entry "cn=media,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending search result entry "cn=wwwAdmin:,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending search result entry "cn=webrun,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending search result entry "cn=svnusers,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending search result entry "cn=users,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:15:48 A84E6BA0 LDAP: (192.168.1.4:32796)(0x0002:0x63) Sending operation result 0:"":"" to connection 0x979a000
10:15:48 B69ECBA0 LDAP: (192.168.1.4:32796)(0x0003:0x42) DoUnbind on connection 0x979a000
10:15:48 B69ECBA0 LDAP: Connection 0x979a000 closed

NOTICE Again do not get an error.

Still wondering....

Now try to do it from the NSS_LDAP calls.


getent group
at:!:25:
audio:x:17:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:eric,jim,molly,scott,svn,tv
disk:x:6:
floppy:x:19:
ftp:x:49:
games:x:40:
gdm:!:105:
haldaemon:!:102:
kmem:x:9:
lp:x:7:
mail:x:12:
maildrop:!:59:
man:x:62:
messagebus:!:101:
modem:x:43:
mysql:!:104:
news:x:13:
nobody:x:65533:
nogroup:x:65534:nobody
ntadmin:!:71:
ntp:!:103:
postfix:!:51:
public:x:32:
root:x:0:
shadow:x:15:
sshd:!:65:
suse-ncc:!:106:
sys:x:3:
trusted:x:42:
tty:x:5:
utmp:x:22:
uucp:x:14:
video:x:33:eric,jim,molly,scott,svn,tv
wheel:x:10:
www:x:8:
xok:x:41:
media:x:1004:eric,jim,molly,scott,tv
svnusers:x:1005:eric,jim,scott
users:x:100:tv
wwwadmins:x:1002:eric,jim,molly,scott
nagios:!:1006:nagios
nagcmd:!:1007:nagios,tomcat,wwwrun


SERVER TRACE:

10:17:56 B62E5BA0 LDAP: New cleartext connection 0x979a000 from 192.168.1.4:45212, monitor = 0xb5ee1ba0, index = 6
10:17:56 B5DE0BA0 LDAP: (192.168.1.4:45212)(0x0001:0x60) DoBind on connection 0x979a000
10:17:56 B5DE0BA0 LDAP: (192.168.1.4:45212)(0x0001:0x60) Bind name:cn=proxy,ou=administration,dc=willeke,dc=com, version:3, authentication:simple
10:17:56 B5DE0BA0 LDAP: (192.168.1.4:45212)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) DoSearch on connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Search request:
   base: "ou=Group,dc=willeke,dc=com"
   scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(&(objectclass=posixGroup))"
   attribute: "cn"
   attribute: "userPassword"
   attribute: "memberUid"
   attribute: "member"
   attribute: "gidNumber"
10:17:56 B69ECBA0 LDAP: iterCountEntries: ispositionable returned FALSE
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending search result entry "cn=media,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending search result entry "cn=wwwAdmin:,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending search result entry "cn=webrun,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending search result entry "cn=svnusers,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending search result entry "cn=users,ou=group,dc=willeke,dc=com" to connection 0x979a000
10:17:56 B69ECBA0 LDAP: (192.168.1.4:45212)(0x0002:0x63) Sending operation result 0:"":"" to connection 0x979a000
10:17:56 B5EE1BA0 LDAP: Monitor 0xb5ee1ba0 found connection 0x979a000 socket closed, err = -5871, 0 of 0 bytes read
10:17:56 B5EE1BA0 LDAP: Monitor 0xb5ee1ba0 initiating close for connection 0x979a000
10:17:56 B6EF1BA0 LDAP: Server closing connection 0x979a000, socket error = -5871
10:17:56 B6EF1BA0 LDAP: Connection 0x979a000 closed

NOTICE We get an error.

What is:

10:17:56 B69ECBA0 LDAP: iterCountEntries: ispositionable returned FALSE

We are gussing, but we think this is due the LDAP call using the server side sort control on eDirectory which is known to be problematic.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 26-Apr-2012 09:03 by jim