From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 11:53:10 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA2C1065692; Tue, 22 Sep 2009 11:53:10 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id ACD488FC27; Tue, 22 Sep 2009 11:53:10 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1Mq3vh-0006ZS-JY>; Tue, 22 Sep 2009 13:53:09 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1Mq3vh-0006sv-I6>; Tue, 22 Sep 2009 13:53:09 +0200 Message-ID: <4AB8BAA9.1060100@zedat.fu-berlin.de> Date: Tue, 22 Sep 2009 11:53:13 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.23 (X11/20090824) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-current@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Cc: Subject: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 11:53:11 -0000 Hello, I run into trouble with FreeBSD and LDAP on a regular basis! Sometimes it is necessary to log in onto a bunch of servers with no LDAP service responding, due to service, crash, eletrically disconnetion, whatever. The problem is: I can't. Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most recent) my /etc/nsswitch.conf looks like this as it has been the most reasonable (and only working!) solution for the past 2 years: passwd: ldap [unavail=continue notfound=continue] files [success=return notfound=return] The same for group. Intention is to have root- or wheel-group access of local managed service users without timeouts due to irresponsible LDAP servers. But it does not work! If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent source/build) does nothing for approx. 120 seconds and sometimes much longer when trying to login as root from console. In some cases, the same box under the very same conditions refuses login due to a timeout, very strange. After a couple of time and lots of questiosn, the above showed nsswitch.conf entries were evaluated as those which should work, but exchanging 'ldap' and 'files' results in a never-can-login-situation, when LDAP isn't responsible. Is there a way to shorten the timeouts and if yes, where to look for? 2 minutes for a login within services sessions is too much, a waste of time. Our network is very fast, so 30 seconds should be enough ... Any help appreciated. Thanks, Oliver