[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SUMMARY: Red Hat Linux 8.0 hangs as an LDAP client when LDAPserver goes down

To: linuxmanagers@linuxmanagers.org, core-dev@open-it.org
Subject: SUMMARY: Red Hat Linux 8.0 hangs as an LDAP client when LDAPserver goes down
From: "Manuel Amador (Rudd-O)" <amadorm@usm.edu.ec>
Date: Mon, 07 Apr 2003 17:39:45 -0500
Delivered-to: linuxmanagers@mrbill.net
Sender: linuxmanagers-bounces@linuxmanagers.org
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030312

Greetings, again.

I seem to have found a working solution for our original woes.

Lans Carstensen suggested that we lower the timeout for the NSS resolver library, NSS_LDAP. He also suggested that we make the LDAP PAM module return on system errors. Here's what he suggested, in his words:

--------- First off, upgrade to the latest/greatest nss_ldap from ftp.padl.com and configure bind_timelimit to something small like 10 seconds. The default I believe is 15 minutes or somesuch, which means 15 minutes to time out per process creation. It's absolutely insane, and that's why you're having to reboot systems - they're stuck in the resolver library waiting on a huge timeout.

Secondly, pull the line from /etc/pam.d/system-auth that looks like: account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

I believe that's what prevents root logins. My read on it is that it's quashing errors being returned in pam_stack and is therefore not letting the stack rules fall through properly to allow a local root login. I could be wrong, but it works for us.

Finally, if you're serious about LDAP I'd recommend getting a support contract with Luke Howard's company, PADL software. (http://www.padl.com/) ---------

I'm beginning to think that this configurable behavior should be the default. I'm CCing this message to the Core development mailing list at open-it, where we discuss these issues. I'd also suggest extending NSS_LDAP to create a persistent local cache, which should only be used when the LDAP server is down. This would drive LDAP authentication one step closer to hands-free offline authentication (a worthy goal). I'm sure the path to this goal is filled with thorny issues, but I'm also sure it's worth the job. Especially for corporate customers =).

I'm shamelessly plugging Directory administrator (http://diradmin.open-it.org/) as a user/group management tool, for those of us who are using LDAP authentication. It still has a way to go, but I plan to build several enhancements to improve large-scale deployment scenarios.

luck,

       Manuel Amador
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@linuxmanagers.org
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers

Prev by Date: Red Hat Linux 8.0 hangs as an LDAP client when LDAP server goes down
Next by Date: SUMMARY: Samba and NT 4.0 in Same Environment
Previous by thread: Red Hat Linux 8.0 hangs as an LDAP client when LDAP server goes down
Next by thread: SUMMARY: Red Hat Linux 8.0 hangs as an LDAP client when LDAPserver goes down
Index(es):
- Date
- Thread

[Home] [Kernel List] [Linux SCSI] [Video 4 Linux] [Linux Admin] [Yosemite News] [Motherboards]