UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Page 'Empty config file: ‘/var/ldap/ldap_client_file’'

Empty config file: ‘/var/ldap/ldap_client_file’

It’s an annoying and recurring problem – your previously configured and well behaved Solaris machine has now dropped off the network, and no-one can log in. Going in via the console shows that all LDAP lookups fail, and that’s why no-one can log in.

/var/adm/messages is filled with cheery messages like this:

ldap_cachemgr[173]: [ID 293258 daemon.error] libsldap: Status: 0 \
 Mesg: Empty config file: '/var/ldap/ldap_client_file'

You’ll also find the LDAP client SMF service has gone into maintenance mode:

bash-3.00$ svcs ldap/client
STATE          STIME    FMRI
maintenance    17:17:42 svc:/network/ldap/client:default

So what happened? The Solaris ldap_cachemgr process regularly talks to your LDAP servers, and at a pre-defined interval (usually 12 hours) it refreshes the client config. This has a number of benefits, not least of which is that you can make one change in the LDAP directory, and the have your clients all update themselves automatically.

This is great for putting a new LDAP server into play, or for doing a server migration.

The problem arises when /var, where the two LDAP configuration files are stored, is full. Unfortunately ldap_cachemgr doesn’t bother to check that it can save the new config – so it tries to replace the two existing config files, fails, and ends up writing zero byte files in their place.

Luckily the fix is a simple one – simply copy ldap_client_cred and ldap_client_file from another working server into /var/ldap, and then restart the ldap_cachemgr.

bash-3.00$ svcadm clear ldap/client
bash-3.00$ svcs ldap/client
STATE          STIME    FMRI
online         17:17:42 svc:/network/ldap/client:default

The workaround is to make sure that the /var partition never fills up. If it’s 100% full it’s bad for a number of reasons, and you need to put processes in place to trigger alerts to stop this happening.

The bug in ldap_cachemgr is being tracked with SunSolve Bug ID 6495683 – “LDAP client files & cred files are deleted when /var is full”

The ldap_cachemgr can also be queried to find out who it’s bound to – and also when it will next be refreshing the LDAP client configuration. Pass it the -g option:

bash-3.00$ /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level          0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr         30
cachemgr cache data statistics:
Configuration refresh information: 
  Previous refresh time: 2009/06/03 05:17:42
  Next refresh time:     2009/06/03 17:17:42
Server information: 
  Previous refresh time: 2009/06/03 09:57:42
  Next refresh time:     2009/06/03 11:17:42
  server: 192.168.13.101, status: UP
Cache data information: 
  Maximum cache entries:          256
  Number of cache entries:          0
Like this post? Spread the word!
delicious digg google
stumbleupon technorati Yahoo!

One comment to “Empty config file: ‘/var/ldap/ldap_client_file’”

  1. Thanks for this- solved my cachemgr issue- getting 4000 entries a second into the log file- until the log file hits the 2GB file size limit.

Top of page / Subscribe to new Entries (RSS)