[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    Re: [nssldap] Change in bind_policy behaviour between 239 and 245
From:       Buchan Milne <bgmilne () mandriva ! org>
Date:       2006-02-03 6:29:27
Message-ID: 200602030829.33631.bgmilne () mandriva ! org
[Download RAW message or body]


On Friday 03 February 2006 03:25, Luke Howard wrote:
> >In a lot of cases I have been involved in, the biggest concern people have
> > had with using nss_ldap has been the potential inability to log in with a
> > local account when there are problems/outages etc. This change really
> > exacerbates the problem, and I can't afford to consider deploying this at
> > work, or updating the Mandriva packages to any version that operates like
> > this, as it *will* break some machines (I can't force the use of
> > "bind_policy soft" for all upgrades).
>
> If you want to be able to log in as a local user, then configure PAM
> appropriately and add "nss_initgroups_ignoreusers root" (replace root
> with a comma-separated list of local users) to ldap.conf.

I don't think this is a good generic solution ...

> We believe this is the current implementation of the "hard" rebind
> policy and are not going to change it. However we would consider making
> soft the default and/or changing the default timeouts.

Having "soft" the default would be much more sensible IMHO.

-- 
Buchan Milne
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]