From owner-freebsd-questions@FreeBSD.ORG Wed Sep 23 01:34:45 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6884D106568D; Wed, 23 Sep 2009 01:34:45 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id B3E058FC08; Wed, 23 Sep 2009 01:34:44 +0000 (UTC) Received: from inchoate.gsoft.com.au (inchoate.gsoft.com.au [203.31.81.30]) (authenticated bits=0) by cain.gsoft.com.au (8.13.8/8.13.8) with ESMTP id n8N1YfMT067520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 23 Sep 2009 11:04:42 +0930 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: Erik Norgaard Date: Wed, 23 Sep 2009 11:04:36 +0930 User-Agent: KMail/1.9.10 References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <200909222248.16475.doconnor@gsoft.com.au> <4AB93614.2080106@locolomo.org> In-Reply-To: <4AB93614.2080106@locolomo.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2436435.bbRDvSTZIW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200909231104.39234.doconnor@gsoft.com.au> X-Spam-Score: -3.624 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 203.31.81.10 Cc: freebsd-current@freebsd.org, "O. Hartmann" , freebsd-questions@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Sep 2009 01:34:45 -0000 --nextPart2436435.bbRDvSTZIW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wed, 23 Sep 2009, Erik Norgaard wrote: > This sounds like the correct solution, AFAIK it's the same concept as > for NIS, first check local files, then ldap. You don't want your root > credentials possibly be leaked accross the network. On the other hand > you don't want or need user accounts in the local files. > > Default first check local files which is fast, then fall back on ldap > if the user is not found. Actually I wrote them the wrong way, how odd! I actually have.. group: cache ldap files passwd: cache ldap files I think that if it fails ldap, it does so very quickly - it certainly=20 did this morning when I rebooted uncleanly. I believe I did try it as "cache files ldap" but I had some issues, I=20 can't recall what they were though. I had quite a bit of difficulty=20 getting it to work acceptably so when it did I left it alone :) On a related note, why is slapd so damn fragile? It's a righteous pain=20 in the bum the way you have to run db_recover-X.Y /var/db/openldap-data=20 if slapd fails to start. It wouldn't be so bad if it logged anything, but even with full logging=20 it gives a very cryptic message and if you have logging disabled (which=20 is recommended for performance!) it won't say _anything_. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart2436435.bbRDvSTZIW Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iD8DBQBKuXsv5ZPcIHs/zowRAnUkAJ47Q7wTM2MneJMjRXXmOYdqlAJfQQCgnTXK J/F9d1WkLucHikktWAJhHzk= =VDXn -----END PGP SIGNATURE----- --nextPart2436435.bbRDvSTZIW--