Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Jan 2006 09:00:32 -0800
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        "Daniel O'Connor" <doconnor@gsoft.com.au>
Cc:        vsevolod@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: Using [Open]LDAP for authentication
Message-ID:  <20060120170032.GA23901@odin.ac.hmc.edu>
In-Reply-To: <200601201130.18872.doconnor@gsoft.com.au>
References:  <200601201130.18872.doconnor@gsoft.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help

--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 20, 2006 at 11:30:10AM +1030, Daniel O'Connor wrote:
> Hi,
> I use OpenLDAP for authentication in conjunction with nss_ldap and pam_ld=
ap=20
> (and samba). I use the RCORDER port option so it put the startup file=20
> in /etc/rc.d.
>=20
> In 5.4 this worked fine - it started up correctly and in the right place.=
=20
> However I upgraded to 6.0-STABLE (11/12/05) and when I ran mergemaster I=
=20
> accidentally told it to delete the rc.d file (doh..) I then upgraded to a=
=20
> slightly later version of openldap (a newer version of openldap23-server).
>=20
> The problem now is that OpenLDAP appears to start very late, since lots o=
f=20
> things need to do nss_ldap lookups it means bootup is very glacial as the=
y=20
> timeout.
>=20
> In the end I hacked up /etc/rc.d/SERVERS to require slapd and took the SE=
RVERS=20
> requirement out of /etc/rc.d/slapd
>=20
> I wonder if there should be another dummy rc.d file which marks where ser=
vices=20
> that supply passwd/group/etc information are available and then SERVERS c=
an=20
> depend on that (because a lot of servers need to be able to change to ano=
ther=20
> user ID after starting).
>=20
> Then again maybe my nsswitch.conf is broken as I have..
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
>=20
> Maybe I should swap files and ldap around.. Hmm I'll try that and see :)
>=20
> Even if that does fix it, I think it would be good to be able to run Open=
LDAP=20
> as early as practical.

Files should definitly come first and services that start before DAEMON,
and possily before LOGIN should really have their necessicary users and
groups in local files.  Nothing that requires user accounts or performs
actions on behalf of users should start before LOGIN.

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFD0RcwXY6L6fI4GtQRAvrnAJ42kGqERAKwnVfKo2GfyF9xXh4DbACgyT+F
80VyVe6cw/0iJPmAUeWoYB8=
=nWwf
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060120170032.GA23901>