Empty config file: ‘/var/ldap/ldap_client_file’
It’s an annoying and recurring problem – your previously configured and well behaved Solaris machine has now dropped off the network, and no-one can log in. Going in via the console shows that all LDAP lookups fail, and that’s why no-one can log in.
/var/adm/messages is filled with cheery messages like this:
ldap_cachemgr: [ID 293258 daemon.error] libsldap: Status: 0 \ Mesg: Empty config file: '/var/ldap/ldap_client_file'
You’ll also find the LDAP client SMF service has gone into maintenance mode:
bash-3.00$ svcs ldap/client STATE STIME FMRI maintenance 17:17:42 svc:/network/ldap/client:default
So what happened? The Solaris ldap_cachemgr process regularly talks to your LDAP servers, and at a pre-defined interval (usually 12 hours) it refreshes the client config. This has a number of benefits, not least of which is that you can make one change in the LDAP directory, and the have your clients all update themselves automatically.
This is great for putting a new LDAP server into play, or for doing a server migration.
The problem arises when /var, where the two LDAP configuration files are stored, is full. Unfortunately ldap_cachemgr doesn’t bother to check that it can save the new config – so it tries to replace the two existing config files, fails, and ends up writing zero byte files in their place.
Luckily the fix is a simple one – simply copy ldap_client_cred and ldap_client_file from another working server into /var/ldap, and then restart the ldap_cachemgr.
bash-3.00$ svcadm clear ldap/client bash-3.00$ svcs ldap/client STATE STIME FMRI online 17:17:42 svc:/network/ldap/client:default
The workaround is to make sure that the /var partition never fills up. If it’s 100% full it’s bad for a number of reasons, and you need to put processes in place to trigger alerts to stop this happening.
The bug in ldap_cachemgr is being tracked with SunSolve Bug ID 6495683 – “LDAP client files & cred files are deleted when /var is full”
The ldap_cachemgr can also be queried to find out who it’s bound to – and also when it will next be refreshing the LDAP client configuration. Pass it the -g option:
bash-3.00$ /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration: server debug level 0 server log file "/var/ldap/cachemgr.log" number of calls to ldapcachemgr 30
cachemgr cache data statistics: Configuration refresh information: Previous refresh time: 2009/06/03 05:17:42 Next refresh time: 2009/06/03 17:17:42 Server information: Previous refresh time: 2009/06/03 09:57:42 Next refresh time: 2009/06/03 11:17:42 server: 192.168.13.101, status: UP Cache data information: Maximum cache entries: 256 Number of cache entries: 0