Not better with REJECT
never tried start_tls. We currently use LDAP over/TLS (using pam_ldap) so I'm trying with the same configuration > On Mar 14, 2016, at 11:22, Lukas Slebodnik <[email protected]> wrote: > > On (14/03/16 10:54), Cyril Scetbon wrote: >> The full log can be found at http://pastebin.com/pk5bD2ks >> >> We can see that the ldap is marked as offline : >> >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [fo_resolve_service_send] >> (0x0020): No available servers for service 'LDAP' >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_resolve_server_done] >> (0x1000): Server resolution failed: 5 >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [sdap_id_op_connect_done] >> (0x0020): Failed to connect, going offline (5 [Input/output error]) (Mon Mar >> 14 15:40:06 2016) [sssd[be[default]]] [be_mark_offline] (0x2000): Going >> offline! >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_run_offline_cb] (0x0080): >> Going offline. Running callbacks. >> >> Then I see : >> >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [sdap_pam_auth_handler] >> (0x0100): Backend is marked offline, retry later! >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] >> (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline >> (Authentication service cannot retrieve authentication info)] >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] >> (0x0100): Sending result [9][default] >> (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] >> (0x0100): Sent result [9][default] >> (Mon Mar 14 15:40:09 2016) [sssd[be[default]]] [sbus_dispatch] (0x4000): >> dbus conn: 0x1c719d0 >> (Mon Mar 14 15:40:09 2016) [sssd[be[default]]] [sbus_dispatch] (0x4000): >> Dispatching. >> >> So I was expecting to get an ok from pam, as we use cache_credentials = true >> >> As I said, the only thing I did was drop my network paquets sent to port 636 >> to simulate a dead ldap. It takes also ~36 seconds for the connection to >> fail because of it > Could you try reject instead of drop? > > Is there the same problem with ldap + start_tls? > > LS > _______________________________________________ > sssd-users mailing list > [email protected] <mailto:[email protected]> > https://lists.fedorahosted.org/admin/lists/[email protected] > <https://lists.fedorahosted.org/admin/lists/[email protected]>
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
