On Wed, 24 Oct 2007, John Summerfield wrote:
Sharpe, Sam J wrote:
John Summerfield wrote:
Jos Vos wrote:
On an LDAP client, it seems that only root can login when the LDAP
server is not reachable, other local users can't be used (timeout).
I did choose the "local authorization is sufficient option" and
I can login fine as a local user while the LDAP server is reachable.
So: it it possible to login as (any) local user when the LDAP server
is not reachable (maybe with a short delay)?
Where would the authentication info be found?
In the places referenced by the "files" target in /etc/nsswitch.conf - in
this case: /etc/passwd, /etc/shadow, /etc/group
How many users should be able to login?
*All* of the local ones, i.e the ones that exist in /etc/passwd,
/etc/shadow and /etc/group
Sorry, that came across as very sarcastic, but my point is that your
questions aren't immediately relevant to the problem Jos has - why are you
seeking clarification, where are your questions going?
I was seeking to find whether he expects credentials to be cached. Windows
does that.
It's an interesting question, one which OS X and Windows do
reasonably well, but it wasn't what Jos asked, which is why I wondered
where you were going with your question.
I investigated this sub-topic, because it would be helpful in the event of
short LDAP or Kerberos unavailability. The problem is manyfold:
1) Some Auth services can't be cached - e.g. Kerberos, because tickets
must be created by a KDC. This is a problem for me because we authenticate
via Kerberos to our Active Directory controllers.
2) nscd notes: "that the shadow file is specifically not cached."
As far as I remember, Windows caches the password hash and supplies
that to services, but I have no idea how it does it. It definitely doesn't
use it's own Kerberos services, because it is not affected by the default
ticket length of 10 hours in AD. I haven't investigated the NetInfo stuff
in OS X, but I suspect it's even more clever ;o)
OS X has the ability to use authentication information from different sources
(including netinfo, openldap and files), transparently. It's not clear to me
whether that's what he want's to do.
Ahh, you see what Jos wants to do is what I want to do, which is why I
understand what he is asking. I inferred from his message that he was
using local accounts /and/ LDAP and wished the local accounts to be
available when LDAP failed, but didn't care about LDAP. For me, that's a
common configuration.
Perhaps you can learn to control your rudeness.
I wasn't intending to be rude, I was intending to "cut to the chase",
so sorry for that. I often find that when people ask me questions it is
helpful if they give some context so I know *why* they are asking. The
hint in the context gives me some idea of what they think my problem is and
therefore helps me to investigate. Best way to learn is diagnose and fix
yourself.
--
Sam
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
