From owner-freebsd-stable@FreeBSD.ORG Wed Mar 19 12:24:15 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48588106566B for ; Wed, 19 Mar 2008 12:24:15 +0000 (UTC) (envelope-from dimma@higis.ru) Received: from mail.higis.ru (mail.higis.ru [213.147.37.35]) by mx1.freebsd.org (Postfix) with ESMTP id EF15D8FC13 for ; Wed, 19 Mar 2008 12:24:14 +0000 (UTC) (envelope-from dimma@higis.ru) Received: from [87.242.97.68] (port=50302 helo=dimma.masterhost.ru) by mail.higis.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JbxL3-000ORi-5A; Wed, 19 Mar 2008 15:24:13 +0300 Message-ID: <47E105EC.3080005@higis.ru> Date: Wed, 19 Mar 2008 15:24:12 +0300 From: Dmitriy Kirhlarov User-Agent: Thunderbird 2.0.0.4 (X11/20070621) MIME-Version: 1.0 To: Daniel Bond References: <47DE9638.6080609@danielbond.org> <47DF8F10.8080200@higis.ru> <47E0FD88.4080207@danielbond.org> In-Reply-To: <47E0FD88.4080207@danielbond.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, ohartman@zedat.fu-berlin.de, Valerio Daelli Subject: Re: [Working fix] Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 12:24:15 -0000 Daniel Bond wrote: > |> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf > |> /usr/local/etc/ldap.conf -> openldap/ldap.conf > | > | I'm not sure is it correct. > | etc/ldap.conf and etc/openldap/ldap.conf -- different files for > | different purposes. > | etc/nss_ldap.conf -> etc/ldap.conf -- it's correct. > | > > The ldap.conf file is only used for nss_ldap and pam_ldap, so I don't > suppose it really matters where the config-file resides. etc/ldap.conf can be used by sudo, for example. etc/openldap/ldap.conf -- library config. > You are absolutely correct, when I change *bind_policy* to *hard*, the > problem goes away, nss_ldap stops whining about contacting server in > /var/log/auth.log. SSH with pubkey-exchange or password authentication > also works with bind_policy hard. Ok. Next. I'm sorry, but this solution little dangerous. When your ldap server unreachable, nss_ldap trying to connect again and again and doesn't switched to next method, described in /etc/nsswitch.conf. For example, if your computer must get IP over dhcpd, OS need uid for dhclient and ask it from nss_ldap, but nss_ldap can't connect to ldap server, because computer doesn't have IP address. When you are using bind_policy hard, you also need tune bind_timelimit and idle_timelimit in ldap.conf and use "files [Status=Action] ldap" in /etc/nsswitch.conf, where Status and Action must be choosen. > Allthough it would be nice to have "bind_policy soft" working properly Yes. It's realy fine option, but I don't sure about source of problem (OS version or nss_ldap) and doesn't know, how to debug this issue. WBR. Dmitriy