LDAP server gone -> impossible to login locally!

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Tue, 22 Sep 2009 11:53:13 +0000
Hello,

I run into trouble with FreeBSD and LDAP on a regular basis!

Sometimes it is necessary to log in onto a bunch of servers with no LDAP 
service responding, due to service, crash, eletrically disconnetion, 
whatever. The problem is: I can't.
Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most 
recent) my /etc/nsswitch.conf looks like this as it has been the most 
reasonable (and only working!) solution for the past 2 years:

passwd: ldap [unavail=continue notfound=continue] files [success=return 
notfound=return]

The same for group. Intention is to have root- or wheel-group access of 
local managed service users without timeouts due to irresponsible LDAP 
servers. But it does not work!
If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent 
source/build) does nothing for approx. 120 seconds and sometimes much 
longer when trying to login as root from console. In some cases, the 
same box under the very same conditions refuses login due to a timeout, 
very strange.

After a couple of time and lots of questiosn, the above showed 
nsswitch.conf entries were evaluated as those which should work, but 
exchanging 'ldap' and 'files' results in a never-can-login-situation, 
when LDAP isn't responsible.

Is there a way to shorten the timeouts and if yes, where to look for? 2 
minutes for a login within services sessions is too much, a waste of 
time. Our network is very fast, so 30 seconds should be enough ...

Any help appreciated.

Thanks,

Oliver
Received on Tue Sep 22 2009 - 09:53:10 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:55 UTC