'Re: [nssldap] Authentication fails when ldap server is down.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    Re: [nssldap] Authentication fails when ldap server is down.
From:       "Ivaylo Stratkov" <istratkov () hotmail ! com>
Date:       2005-12-19 1:37:55
Message-ID: BAY102-F25DD0900B47A85470C5F79B43F0 () phx ! gbl
[Download RAW message or body]

Let's try to break this in steps.
1. The password is verified
2. The session is setup
2.1. Determine UID, PGID ... from /etc/passwd
2.2. Find the group memberships.

Now step by step for 1) to be fast you need correct order in login pam 
configuration file. For 2.1) to be fast you need the /etc/passwd to be 
searched first that is correct order in /etc/nsswitch.conf.

Well for 2.2) you cannot do anything to avoid LDAP search. At this point the 
name switch will go thru all groups and find if the user is in the group. 
Let's say in  /etc/nsswitch.conf there is:

group files ldap

first /etc/groups will be read and then what? - go to LDAP and read all 
groups.

Am I getting it right? Check me - for the experiment change your 
/etc/nsswitch.conf line for groups to be:

group files

and see if login will be fast.

Ivaylo


>From: Jafar Aliev <ml@usn.ru>
>Reply-To: Jafar Aliev <ml@usn.ru>
>To: nssldap@padl.com
>Subject: Re: [nssldap] Authentication fails when ldap server is down.
>Date: Thu, 15 Dec 2005 17:07:41 +0300
>
>Good day.
>
>   I've noticed same problem, but authentication not completely failed,
>   just make a long (about 2 minutes) timeout.
>
>   This is copy of my message to alt.os.linux.slackware:
>
>-----------------------------------------------------------------------------
>I've implementing LDAP user authority through nss_ldap on Slackware 10.2.
>The problem is that in configurations where files are to be checked
>before ldap, it still looks for the ldap server. This causes a delay in
>boot and login if ldap server does not available.
>
>part of nsswitch.conf file:
>-----------------------------------
>passwd:         files ldap
>group:          files ldap
>shadow:         files ldap
>-----------------------------------
>
>There are this messages for every name resolution in log file:
>/var/log/messages
>-----------------------------------
><service name>: nss_ldap: reconnecting to LDAP server (sleeping 4 
>seconds)...
><service name>: nss_ldap: reconnecting to LDAP server (sleeping 8 
>seconds)...
><service name>: nss_ldap: reconnecting to LDAP server (sleeping 16 
>seconds)...
><service name>: nss_ldap: reconnecting to LDAP server (sleeping 32 
>seconds)...
><service name>: nss_ldap: reconnecting to LDAP server (sleeping 64 
>seconds)...
>-----------------------------------
><service name> - service that do name resolution (including slapd).
>
>Modifying nsswitch.conf to that form does not help. (According to 
>nsswitch.conf man
>page this is standart behaviour)
>-----------------------------------
>passwd:         files [SUCCESS=return] ldap
>-----------------------------------
>
>How to make this work as it should: stop after successful lookup in local 
>files?
>-----------------------------------------------------------------------------
>
>--
>Best regards,
>  Jafar Aliev <admin at usn dot ru>
>  usn.ru administrator
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic