John Marshall wrote:
On Tue, 22 Sep 2009, 11:53 +0000, O. Hartmann wrote:
Hello,
I run into trouble with FreeBSD and LDAP on a regular basis!
Sometimes it is necessary to log in onto a bunch of servers with no LDAP
service responding, due to service, crash, eletrically disconnetion,
whatever. The problem is: I can't.
Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most
recent) my /etc/nsswitch.conf looks like this as it has been the most
reasonable (and only working!) solution for the past 2 years:
passwd: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]
The same for group. Intention is to have root- or wheel-group access of
local managed service users without timeouts due to irresponsible LDAP
servers. But it does not work!
If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent
source/build) does nothing for approx. 120 seconds and sometimes much
longer when trying to login as root from console. In some cases, the
same box under the very same conditions refuses login due to a timeout,
very strange.
After a couple of time and lots of questiosn, the above showed
nsswitch.conf entries were evaluated as those which should work, but
exchanging 'ldap' and 'files' results in a never-can-login-situation,
when LDAP isn't responsible.
Is there a way to shorten the timeouts and if yes, where to look for? 2
minutes for a login within services sessions is too much, a waste of
time. Our network is very fast, so 30 seconds should be enough ...
I've only recently started playing with LDAP but it sounds to me like
you probably have one of the 'hard' options set for the reconnect policy
in your nss_ldap.conf file. I use 'bind_policy soft' so that if the
LDAP server isn't available we fail over to the next nsswitch service
immediately.
I don't think further discussion of this thread belongs on the
freebsd-current list.
Hope this helps.
bind_policy soft
is a bad solution. When you have network lags, you have chance to get
flapping connection error.
http://www.liquidx.net/blog/2006/04/03/nss_ldap-undocumented-nss_reconnect_tries/
nss_reconnect_sleeptime 0
nss_reconnect_maxsleeptime 1
nss_reconnect_maxconntries 1
WBR
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"