Slow LDAP Authetication in 10.5.

[victorahugo]

We are currently using 10.4.11 to authenticate to our 10.3.9 LDAP server. Log in takes about 20 seconds. When we test out a 10.5 machine to the same server it takes 2 minutes.

Here’s a clipping from the LDAP log, maybe someone will see something in that. I am trying to log in as user p194xxx.

Dec 20 2007 11:39:52 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:52 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:52 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:52 RSAPUBLIC: ok
Dec 20 2007 11:39:52 RSAVALIDATE: success.
Dec 20 2007 11:39:52 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:52 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:52 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:57 RSAPUBLIC: ok
Dec 20 2007 11:39:57 RSAVALIDATE: success.
Dec 20 2007 11:39:57 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:57 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:57 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:57 RSAPUBLIC: ok
Dec 20 2007 11:39:57 RSAVALIDATE: success.
Dec 20 2007 11:39:57 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:57 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:57 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.

[luke]

Double and triple check DNS. Is it possible that the 10.5 machine has two DNS servers set, but the first server has a wrong or missing entry for the LDAP server? Test this by using host or ping with the server’s fqdn from the 10.5 machine.

A next troubleshooting step would be to use the LDAP command line utilities on the client to query the LDAP server.

If those all check out, have a look at the AFP server that the home directories are stored on. Maybe the cause of the delay is from mounting it. Maybe it’s kerberos.

Logging in to a managed client is such a complex process, it could be any number of things…

[bschonhorst]

Hey-

I think many people (myself included) have seen this issue.

[url]https://www.afp548.com/forum/viewtopic.php?showtopic=19298[/url]

I have not found a good work around yet.

[Lindsay Robertso]

t

We’ve had big problems with very slow boot processes on 30 macs. The blue progress bar can take up to 5 minutes to go across.

From http://www.macwindows.com/AD.html#021907e i found this

March 5, 2007
Dan Ball found that the problem wasn’t with Active Diretory, but with the LDAP version 3 plugin. A reconfiguration fixed the problem:

When we first switched to Tiger at the Mac OS 10.4.6 revision. I thought things were running great in testing until I re-imaged a lab. If I rebooted the lab of roughly 30 machines randomly they would take forever to startup. Each one would hang for roughly 5 minutes or so before showing the login window.

For us the issue wasn’t the connection to Active Directory, it was the connection to our OS X (10.4.6) server.

The fix for us was in the LDAPv3 plugin under the “LDAP Mapping” column, I had to set it to “Open Directory Server” instead of the default of “From Server.” I switched this setting and haven’t had an issue since then.
[i][/i]

It fixed my problem!

[Lindsay Robertso]

Umm No.

The server was a 10.3, and was upgraded to 10.4, over a year ago, but these problems have been happening on new machines we have installed in the last year. All clients are 10.4…

[simen]

It takes 40 seconds here to login here. Is that normal? And I fixed the “bdb_equality_candidates: (apple-computers) index_param failed” error… See last post here:

http://discussions.apple.com/thread.jspa?messageID=7481015

I still have this error

“Jul 21 23:50:47 server slapd[3512]: SASL [conn=12] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)”

What is that?

Here is my DNS settings:
[code] $TTL 10800
private. IN SOA server.private. x.server.private. (
2008071010 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
)

private. IN NS server.private.
server IN A 10.0.0.2

k031 IN A 10.0.0.31
k032 IN A 10.0.0.32
[/code]
And reverse:
[code] $TTL 10800
0.0.10.in-addr.arpa. IN SOA server.private. x.private. (
2008071009 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
)

0.0.10.in-addr.arpa. IN NS server.private.
2.0.0.10.in-addr.arpa. IN PTR server.private.
31.0.0.10.in-addr.arpa. IN PTR k031.private.
32.0.0.10.in-addr.arpa. IN PTR k032.private.[/code]

Yes. It is .private, I didn’t anonymize it.

I thought the reason we bought “Mac OS X Server” was so we didn’t have to fiddle with these kinda things…

[Author]

Posts