Date: Tue, 22 Sep 2009 22:25:49 +0400 From: Dmitriy Kirhlarov <dimma@higis.ru> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de>, freebsd-questions@freebsd.org, freebsd-current@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! Message-ID: <4AB916AD.1050204@higis.ru> In-Reply-To: <20090922130540.GI1001@rwpc12.mby.riverwillow.net.au> References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <20090922130540.GI1001@rwpc12.mby.riverwillow.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
John Marshall wrote: > On Tue, 22 Sep 2009, 11:53 +0000, O. Hartmann wrote: >> Hello, >> >> I run into trouble with FreeBSD and LDAP on a regular basis! >> >> Sometimes it is necessary to log in onto a bunch of servers with no LDAP >> service responding, due to service, crash, eletrically disconnetion, >> whatever. The problem is: I can't. >> Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most >> recent) my /etc/nsswitch.conf looks like this as it has been the most >> reasonable (and only working!) solution for the past 2 years: >> >> passwd: ldap [unavail=continue notfound=continue] files [success=return >> notfound=return] >> >> The same for group. Intention is to have root- or wheel-group access of >> local managed service users without timeouts due to irresponsible LDAP >> servers. But it does not work! >> If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent >> source/build) does nothing for approx. 120 seconds and sometimes much >> longer when trying to login as root from console. In some cases, the >> same box under the very same conditions refuses login due to a timeout, >> very strange. >> >> After a couple of time and lots of questiosn, the above showed >> nsswitch.conf entries were evaluated as those which should work, but >> exchanging 'ldap' and 'files' results in a never-can-login-situation, >> when LDAP isn't responsible. >> >> Is there a way to shorten the timeouts and if yes, where to look for? 2 >> minutes for a login within services sessions is too much, a waste of >> time. Our network is very fast, so 30 seconds should be enough ... > > I've only recently started playing with LDAP but it sounds to me like > you probably have one of the 'hard' options set for the reconnect policy > in your nss_ldap.conf file. I use 'bind_policy soft' so that if the > LDAP server isn't available we fail over to the next nsswitch service > immediately. > > I don't think further discussion of this thread belongs on the > freebsd-current list. > > Hope this helps. > bind_policy soft is a bad solution. When you have network lags, you have chance to get flapping connection error. http://www.liquidx.net/blog/2006/04/03/nss_ldap-undocumented-nss_reconnect_tries/ nss_reconnect_sleeptime 0 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1 WBR
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB916AD.1050204>