Date: Wed, 23 Sep 2009 19:18:01 +0930 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: Erik Norgaard <norgaard@locolomo.org>, freebsd-questions@freebsd.org, freebsd-current@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! Message-ID: <200909231918.10541.doconnor@gsoft.com.au> In-Reply-To: <4AB9DDD8.2020700@zedat.fu-berlin.de> References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <200909231104.39234.doconnor@gsoft.com.au> <4AB9DDD8.2020700@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1945813.sjCl92Da08 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wed, 23 Sep 2009, O. Hartmann wrote: > Daniel O'Connor wrote: > > On Wed, 23 Sep 2009, Erik Norgaard wrote: > >> This sounds like the correct solution, AFAIK it's the same concept > >> as for NIS, first check local files, then ldap. You don't want > >> your root credentials possibly be leaked accross the network. On > >> the other hand you don't want or need user accounts in the local > >> files. > >> > >> Default first check local files which is fast, then fall back on > >> ldap if the user is not found. > > > > Actually I wrote them the wrong way, how odd! > > I actually have.. > > group: cache ldap files > > passwd: cache ldap files > > I had issues with the order > > 'files ldap' > > too, that's why I choosed 'ldap files'. Can you remember any details why? I can't :) > > On a related note, why is slapd so damn fragile? It's a righteous > > pain in the bum the way you have to run db_recover-X.Y > > /var/db/openldap-data if slapd fails to start. > > Yes, this is a lot of pain. I have had issues the same way and never > figured out what the reason was. /var/ is very often corrupted after > a crash, power failure or unclean reboot. Maybe not slpad is that > fragile, but db47 is. Yes, although openldap's handling of a bad DB is quite poor IMO.. That=20 said I haven't had the nerve to look at the code. I had a quick look to see if there was a more robust looking backend but=20 nothing jumped out at me. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart1945813.sjCl92Da08 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iD8DBQBKue7a5ZPcIHs/zowRAiRjAJ9dAyjv7NLIlBBNW7iWjFR/ZtOHagCeMnfv rYoWEs9MMeFoCf8bv7lPa+Q= =Wzqf -----END PGP SIGNATURE----- --nextPart1945813.sjCl92Da08--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909231918.10541.doconnor>