Perhaps you can shorten the booting process by changing the default bind timeout? In /etc/ldap.conf set:
# Bind timelimit bind_timelimit 5 Another option you might consider is using user netgroups instead of groups for your sudo access... Kevin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris St. Pierre Sent: Tuesday, April 10, 2007 8:32 AM To: [email protected] Subject: [rhelv5-list] LDAP groups + sudo = badness We discovered on RHEL4 that sudo didn't quite handle LDAP (or other, I suppose) groups properly. In order for sudo to use LDAP groups for access control, we had to specify group lookups thusly in nsswitch.conf: group: ldap files The other way around ("files ldap"), while the default from authconfig, did not work with sudo. (To wit, sudo complained that the user attempting to sudo was not found in sudoers -- even though 'groups username' clearly showed they were in the correct group.) That was fine, but RHEL5 throws an extra wrinkle into things. When booting up, apparently the "Starting udev" stage does a large number of group lookups. Since the network is not up at that point, all of them have to time out if LDAP is specified first in nsswitch.conf, which makes booting take several _hours_. So with RHEL5, my options are: group: ldap files - sudo works, but a reboot is an all-day affair group: files ldap - rebooting works, but sudo doesn't I haven't touched the PAM entry for sudo, which is: auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so I have touched the system-auth PAM entry, but only to add pam_access.so. My system-auth now reads: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so What can I do to make _both_ sudo and rebooting work? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
