Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Sep 2009 19:18:01 +0930
From:      "Daniel O'Connor" <doconnor@gsoft.com.au>
To:        "O. Hartmann" <ohartman@zedat.fu-berlin.de>
Cc:        freebsd-questions@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: LDAP server gone -> impossible to login locally!
Message-ID:  <200909231918.10541.doconnor@gsoft.com.au>
In-Reply-To: <4AB9DDD8.2020700@zedat.fu-berlin.de>
References:  <4AB8BAA9.1060100@zedat.fu-berlin.de> <200909231104.39234.doconnor@gsoft.com.au> <4AB9DDD8.2020700@zedat.fu-berlin.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--nextPart1945813.sjCl92Da08
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wed, 23 Sep 2009, O. Hartmann wrote:
> Daniel O'Connor wrote:
> > On Wed, 23 Sep 2009, Erik Norgaard wrote:
> >> This sounds like the correct solution, AFAIK it's the same concept
> >> as for NIS, first check local files, then ldap. You don't want
> >> your root credentials possibly be leaked accross the network. On
> >> the other hand you don't want or need user accounts in the local
> >> files.
> >>
> >> Default first check local files which is fast, then fall back on
> >> ldap if the user is not found.
> >
> > Actually I wrote them the wrong way, how odd!
> > I actually have..
> > group: cache ldap files
> > passwd: cache ldap files
>
> I had issues with the order
>
> 'files ldap'
>
> too, that's why I choosed 'ldap files'.

Can you remember any details why? I can't :)

> > On a related note, why is slapd so damn fragile? It's a righteous
> > pain in the bum the way you have to run db_recover-X.Y
> > /var/db/openldap-data if slapd fails to start.
>
> Yes, this is a lot of pain. I have had issues the same way and never
> figured out what the reason was. /var/ is very often corrupted after
> a crash, power failure or unclean reboot. Maybe not slpad is that
> fragile, but db47 is.

Yes, although openldap's handling of a bad DB is quite poor IMO.. That=20
said I haven't had the nerve to look at the code.

I had a quick look to see if there was a more robust looking backend but=20
nothing jumped out at me.

=2D-=20
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

--nextPart1945813.sjCl92Da08
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iD8DBQBKue7a5ZPcIHs/zowRAiRjAJ9dAyjv7NLIlBBNW7iWjFR/ZtOHagCeMnfv
rYoWEs9MMeFoCf8bv7lPa+Q=
=Wzqf
-----END PGP SIGNATURE-----

--nextPart1945813.sjCl92Da08--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200909231918.10541.doconnor>