From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 19:07:28 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 793CA1065676; Tue, 22 Sep 2009 19:07:28 +0000 (UTC) (envelope-from dimma@higis.ru) Received: from mail.higis.ru (mail.higis.ru [213.147.37.35]) by mx1.freebsd.org (Postfix) with ESMTP id 12F2F8FC0A; Tue, 22 Sep 2009 19:07:27 +0000 (UTC) Received: from [194.186.188.162] (port=56504 helo=[172.17.163.202]) by mail.higis.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MqA3T-0009Tp-HB; Tue, 22 Sep 2009 22:25:35 +0400 Message-ID: <4AB916AD.1050204@higis.ru> Date: Tue, 22 Sep 2009 22:25:49 +0400 From: Dmitriy Kirhlarov User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: "O. Hartmann" , freebsd-questions@freebsd.org, freebsd-current@freebsd.org References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <20090922130540.GI1001@rwpc12.mby.riverwillow.net.au> In-Reply-To: <20090922130540.GI1001@rwpc12.mby.riverwillow.net.au> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 19:07:28 -0000 John Marshall wrote: > On Tue, 22 Sep 2009, 11:53 +0000, O. Hartmann wrote: >> Hello, >> >> I run into trouble with FreeBSD and LDAP on a regular basis! >> >> Sometimes it is necessary to log in onto a bunch of servers with no LDAP >> service responding, due to service, crash, eletrically disconnetion, >> whatever. The problem is: I can't. >> Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most >> recent) my /etc/nsswitch.conf looks like this as it has been the most >> reasonable (and only working!) solution for the past 2 years: >> >> passwd: ldap [unavail=continue notfound=continue] files [success=return >> notfound=return] >> >> The same for group. Intention is to have root- or wheel-group access of >> local managed service users without timeouts due to irresponsible LDAP >> servers. But it does not work! >> If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent >> source/build) does nothing for approx. 120 seconds and sometimes much >> longer when trying to login as root from console. In some cases, the >> same box under the very same conditions refuses login due to a timeout, >> very strange. >> >> After a couple of time and lots of questiosn, the above showed >> nsswitch.conf entries were evaluated as those which should work, but >> exchanging 'ldap' and 'files' results in a never-can-login-situation, >> when LDAP isn't responsible. >> >> Is there a way to shorten the timeouts and if yes, where to look for? 2 >> minutes for a login within services sessions is too much, a waste of >> time. Our network is very fast, so 30 seconds should be enough ... > > I've only recently started playing with LDAP but it sounds to me like > you probably have one of the 'hard' options set for the reconnect policy > in your nss_ldap.conf file. I use 'bind_policy soft' so that if the > LDAP server isn't available we fail over to the next nsswitch service > immediately. > > I don't think further discussion of this thread belongs on the > freebsd-current list. > > Hope this helps. > bind_policy soft is a bad solution. When you have network lags, you have chance to get flapping connection error. http://www.liquidx.net/blog/2006/04/03/nss_ldap-undocumented-nss_reconnect_tries/ nss_reconnect_sleeptime 0 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1 WBR