Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Sep 2009 23:05:40 +1000
From:      John Marshall <>
To:        "O. Hartmann" <>
Subject:   Re: LDAP server gone -> impossible to login locally!
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, 22 Sep 2009, 11:53 +0000, O. Hartmann wrote:
> Hello,
> I run into trouble with FreeBSD and LDAP on a regular basis!
> Sometimes it is necessary to log in onto a bunch of servers with no LDAP=
> service responding, due to service, crash, eletrically disconnetion,=20
> whatever. The problem is: I can't.
> Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most=20
> recent) my /etc/nsswitch.conf looks like this as it has been the most=20
> reasonable (and only working!) solution for the past 2 years:
> passwd: ldap [unavail=3Dcontinue notfound=3Dcontinue] files [success=3Dre=
> notfound=3Dreturn]
> The same for group. Intention is to have root- or wheel-group access of=
> local managed service users without timeouts due to irresponsible LDAP=20
> servers. But it does not work!
> If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent=
> source/build) does nothing for approx. 120 seconds and sometimes much=20
> longer when trying to login as root from console. In some cases, the=20
> same box under the very same conditions refuses login due to a timeout,=
> very strange.
> After a couple of time and lots of questiosn, the above showed=20
> nsswitch.conf entries were evaluated as those which should work, but=20
> exchanging 'ldap' and 'files' results in a never-can-login-situation,=20
> when LDAP isn't responsible.
> Is there a way to shorten the timeouts and if yes, where to look for? 2=
> minutes for a login within services sessions is too much, a waste of=20
> time. Our network is very fast, so 30 seconds should be enough ...

I've only recently started playing with LDAP but it sounds to me like
you probably have one of the 'hard' options set for the reconnect policy
in your nss_ldap.conf file.  I use 'bind_policy soft' so that if the
LDAP server isn't available we fail over to the next nsswitch service

I don't think further discussion of this thread belongs on the
freebsd-current list.

Hope this helps.

John Marshall

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v2.0.13 (FreeBSD)



Want to link to this message? Use this URL: <>