Home › Forums › OS X Server and Client Discussion › Open Directory › Slow LDAP Authetication in 10.5.
We are currently using 10.4.11 to authenticate to our 10.3.9 LDAP server. Log in takes about 20 seconds. When we test out a 10.5 machine to the same server it takes 2 minutes.
Here’s a clipping from the LDAP log, maybe someone will see something in that. I am trying to log in as user p194xxx.
Dec 20 2007 11:39:52 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:52 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:52 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:52 RSAPUBLIC: ok
Dec 20 2007 11:39:52 RSAVALIDATE: success.
Dec 20 2007 11:39:52 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:52 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:52 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:57 RSAPUBLIC: ok
Dec 20 2007 11:39:57 RSAVALIDATE: success.
Dec 20 2007 11:39:57 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:57 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:57 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Dec 20 2007 11:39:57 RSAPUBLIC: ok
Dec 20 2007 11:39:57 RSAVALIDATE: success.
Dec 20 2007 11:39:57 AUTH: {0x40c650496d5621f5000000ad000000aa, p194xxx} requested mechanism DIGEST-MD5.
Dec 20 2007 11:39:57 AUTH2: {0x40c650496d5621f5000000ad000000aa, p194xxx} authentication failed, SASL error -13.
Dec 20 2007 11:39:57 QUIT: {0x40c650496d5621f5000000ad000000aa, p194xxx} has disconnected.
Double and triple check DNS. Is it possible that the 10.5 machine has two DNS servers set, but the first server has a wrong or missing entry for the LDAP server? Test this by using host or ping with the server’s fqdn from the 10.5 machine.
A next troubleshooting step would be to use the LDAP command line utilities on the client to query the LDAP server.
If those all check out, have a look at the AFP server that the home directories are stored on. Maybe the cause of the delay is from mounting it. Maybe it’s kerberos.
Logging in to a managed client is such a complex process, it could be any number of things…
Hey-
I think many people (myself included) have seen this issue.
[url]https://www.afp548.com/forum/viewtopic.php?showtopic=19298[/url]
I have not found a good work around yet.
t
We’ve had big problems with very slow boot processes on 30 macs. The blue progress bar can take up to 5 minutes to go across.
From http://www.macwindows.com/AD.html#021907e i found this
March 5, 2007
Dan Ball found that the problem wasn’t with Active Diretory, but with the LDAP version 3 plugin. A reconfiguration fixed the problem:
When we first switched to Tiger at the Mac OS 10.4.6 revision. I thought things were running great in testing until I re-imaged a lab. If I rebooted the lab of roughly 30 machines randomly they would take forever to startup. Each one would hang for roughly 5 minutes or so before showing the login window.
For us the issue wasn’t the connection to Active Directory, it was the connection to our OS X (10.4.6) server.
The fix for us was in the LDAPv3 plugin under the “LDAP Mapping” column, I had to set it to “Open Directory Server” instead of the default of “From Server.” I switched this setting and haven’t had an issue since then.
[i][/i]
It fixed my problem!
Umm No.
The server was a 10.3, and was upgraded to 10.4, over a year ago, but these problems have been happening on new machines we have installed in the last year. All clients are 10.4…
It takes 40 seconds here to login here. Is that normal? And I fixed the “bdb_equality_candidates: (apple-computers) index_param failed” error… See last post here:
http://discussions.apple.com/thread.jspa?messageID=7481015
I still have this error
“Jul 21 23:50:47 server slapd[3512]: SASL [conn=12] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)”
What is that?
Here is my DNS settings:
[code] $TTL 10800
private. IN SOA server.private. x.server.private. (
2008071010 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
)
private. IN NS server.private.
server IN A 10.0.0.2
k031 IN A 10.0.0.31
k032 IN A 10.0.0.32
[/code]
And reverse:
[code] $TTL 10800
0.0.10.in-addr.arpa. IN SOA server.private. x.private. (
2008071009 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
)
0.0.10.in-addr.arpa. IN NS server.private.
2.0.0.10.in-addr.arpa. IN PTR server.private.
31.0.0.10.in-addr.arpa. IN PTR k031.private.
32.0.0.10.in-addr.arpa. IN PTR k032.private.[/code]
Yes. It is .private, I didn’t anonymize it.
I thought the reason we bought “Mac OS X Server” was so we didn’t have to fiddle with these kinda things…