From owner-freebsd-current@FreeBSD.ORG Tue Sep 22 20:55:37 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D7481065693 for ; Tue, 22 Sep 2009 20:55:37 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id EC4358FC16 for ; Tue, 22 Sep 2009 20:55:35 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id A154D1C1A67; Tue, 22 Sep 2009 22:39:48 +0200 (CEST) Message-ID: <4AB93614.2080106@locolomo.org> Date: Tue, 22 Sep 2009 22:39:48 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Daniel O'Connor References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <200909222248.16475.doconnor@gsoft.com.au> In-Reply-To: <200909222248.16475.doconnor@gsoft.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 22 Sep 2009 21:28:34 +0000 Cc: freebsd-current@freebsd.org, "O. Hartmann" , freebsd-questions@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 20:55:37 -0000 Daniel O'Connor wrote: > On Tue, 22 Sep 2009, O. Hartmann wrote: >> I run into trouble with FreeBSD and LDAP on a regular basis! >> >> Sometimes it is necessary to log in onto a bunch of servers with no >> LDAP service responding, due to service, crash, eletrically >> disconnetion, whatever. The problem is: I can't. >> Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most >> recent) my /etc/nsswitch.conf looks like this as it has been the most >> reasonable (and only working!) solution for the past 2 years: >> >> passwd: ldap [unavail=continue notfound=continue] files >> [success=return notfound=return] > > I just have > passwd: cache files ldap > group: cache files ldap > > and I can login as root locally without any delay. > > That said my LDAP server is on the same machine so perhaps it fails > faster. I am using "uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/" to > connect to. > This sounds like the correct solution, AFAIK it's the same concept as for NIS, first check local files, then ldap. You don't want your root credentials possibly be leaked accross the network. On the other hand you don't want or need user accounts in the local files. Default first check local files which is fast, then fall back on ldap if the user is not found. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org