From owner-freebsd-questions@FreeBSD.ORG Mon Mar 5 12:07:33 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F1C1106566B for ; Mon, 5 Mar 2012 12:07:33 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (unknown [IPv6:2001:470:1f09:14c0::2]) by mx1.freebsd.org (Postfix) with ESMTP id A51308FC16 for ; Mon, 5 Mar 2012 12:07:32 +0000 (UTC) Received: from bsdrookie.norma.com. ([IPv6:fd00::7fc]) by elf.hq.norma.perm.ru (8.14.4/8.14.4) with ESMTP id q25C7MMu095248 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 5 Mar 2012 17:07:23 +0500 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4F54AC7A.8090604@norma.perm.ru> Date: Mon, 05 Mar 2012 18:07:22 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20111001 Thunderbird/7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [IPv6:fd00::30a]); Mon, 05 Mar 2012 17:07:24 +0500 (YEKT) X-Spam-Status: No hits=-99.5 bayes=0.0000 testhits BAYES_00=-1.9, RDNS_NONE=0.793,SPF_SOFTFAIL=0.665,TO_NO_BRKTS_DIRECT=0.904, TO_NO_BRKTS_NORDNS=0.001, USER_IN_WHITELIST=-100 autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru Subject: nsswitch and unavailable backends X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2012 12:07:33 -0000 Hi. I'm trying to set up LDAP user authentication. I use bet/nss_ldap and security/pam_ldap ports to do this. I'm doing this following the article from the documentation set. Though it's not that complete and misses some very important stuff, I've actually set up the LDAP installations and my users are able to successfully authenticate and log in on my servers. Then I ran into some serious issue. :) When the LDAP server if off/unavailable, users cannot log in - I mean, even the local users. nsswitch.conf: group: files ldap hosts: files dns networks: files passwd: files ldap shells: files services: files protocols: files rpc: files If I remove ldap - all is fine, of course, besides the fact that this breaks the LDAP authentication. I've read the nsswitch manual and saw that I can handle the unavailable LDAP server with some action flags, but the default action is 'continue' already. I also tried the [notfound=return unavail=return tryagain=return] mantra (it's harmless to try since it's the last backup) but this didn't work either. sshd crashes with signal 11, crond does the same. Sad. On a machine running LDAP server the situation is even funnier: the LDAP server, even having a local account to work under, still tries to query himself on start, making the startup impossible. Can this situation be solved ? Right now I remove 'ldap' backend, start the slapd, add ldap backends again and so on. Thanks.