Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Jun 2006 21:14:10 -0400
From:      "Ansar Mohammed" <ansarm@gmail.com>
To:        "'Joe Shevland'" <jshevland@rowantreesoftware.com.au>, "'FreeBSD Questions Mailing List'" <freebsd-questions@freebsd.org>
Subject:   RE: nss_ldap and OpenLDAP client version
Message-ID:  <000001c68c2b$2f178230$0405a8c0@northamerica.corp.microsoft.com>
In-Reply-To: <44755DAD.50204@rowantreesoftware.com.au>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
One of the more "undocumented" things here is to make sure that in your
/usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. 

If not, you will have no end of problems if you ldap server goes down. 

Basically if you have in your nsswitch.conf:

Passwd: files ldap
Group: files ldap

If your ldap server is down; nss_ldap keeps trying to reconnect and allot of
apps just hang; (like top, ls -la etc)




> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-
> questions@freebsd.org] On Behalf Of Joe Shevland
> Sent: May 25, 2006 3:33 AM
> To: freebsd-questions@freebsd.org
> Subject: nss_ldap and OpenLDAP client version
> 
> Hi,
> 
> I'm about to setup my jails so they authenticate against the 'host'
> server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this
> before but wanted to repeat the process because last time it ended up
> being so much fiddling that when I finished I just left it alone - this
> time I'm documenting it :) I packaged up versions of the port for
> OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any
> case) and then went to package up the nss_ldap port but its after
> OpenLDAP 2.2 stuff... I guess my question is whether this is intentional
> (i.e. security related), or just a port maintenance issue? I would've
> thought between 2.2->2.3 there's been a few security advisories... I
> only did a lazy lightning google and came across a few
> (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one.
> 
> Anyway, just thought I'd check. As punishment, if this is a stupid
> question or has been answered before, happy to write up a tutorial as I
> go as penance.
> 
> Cheers
> Joe
> 
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c68c2b$2f178230$0405a8c0>