From owner-freebsd-questions@FreeBSD.ORG Wed Sep 23 01:45:47 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E97BD106566B for ; Wed, 23 Sep 2009 01:45:46 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id A33E88FC1A for ; Wed, 23 Sep 2009 01:45:46 +0000 (UTC) Received: by yxe1 with SMTP id 1so409915yxe.3 for ; Tue, 22 Sep 2009 18:45:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=jHxFXPF0ih38GH1wjlx9B1+jC81Mo5bm5pLLrsK0Mz0=; b=BNS+fbxXrHOfR+z22DeGFi80HXLkJf2hbVey6Cfzaeiz39vi1e9ZW99dIHfXHyRVrL nd9UjjeyDe/h+ex8IFZ5dzyLbIwmzJyBZjX3H0sA6ruOPJXPd+6bNSZltdVUOY1K2VtL PzMd/DB4+ZvVDub5wK1aD360wKyQ8wiDLm8uc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=wQc8AE42wyb/GP+Q5ScYeQoqF8QLVLBnqPFUD7W53n+koIFvsNeA0Hlo6df0wVAmW/ 4qjfZCEO8qipVT3mz4TPHVVwYuoYbAcip33yB+XelTTMBo8vK8Rld38FbyssiQQXzKrY uyU6h6mBHxPrB2a0ceQNT+3s+rSBH7MehnkLI= MIME-Version: 1.0 Received: by 10.100.50.30 with SMTP id x30mr1744199anx.169.1253670345999; Tue, 22 Sep 2009 18:45:45 -0700 (PDT) In-Reply-To: <200909231104.39234.doconnor@gsoft.com.au> References: <4AB8BAA9.1060100@zedat.fu-berlin.de> <200909222248.16475.doconnor@gsoft.com.au> <4AB93614.2080106@locolomo.org> <200909231104.39234.doconnor@gsoft.com.au> Date: Tue, 22 Sep 2009 19:45:45 -0600 Message-ID: From: Tim Judd To: "Daniel O'Connor" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Sep 2009 01:45:47 -0000 On 9/22/09, Daniel O'Connor wrote: > On Wed, 23 Sep 2009, Erik Norgaard wrote: >> This sounds like the correct solution, AFAIK it's the same concept as >> for NIS, first check local files, then ldap. You don't want your root >> credentials possibly be leaked accross the network. On the other hand >> you don't want or need user accounts in the local files. >> >> Default first check local files which is fast, then fall back on ldap >> if the user is not found. > > Actually I wrote them the wrong way, how odd! > I actually have.. > group: cache ldap files > passwd: cache ldap files > > I think that if it fails ldap, it does so very quickly - it certainly > did this morning when I rebooted uncleanly. > > I believe I did try it as "cache files ldap" but I had some issues, I > can't recall what they were though. I had quite a bit of difficulty > getting it to work acceptably so when it did I left it alone :) > > On a related note, why is slapd so damn fragile? It's a righteous pain > in the bum the way you have to run db_recover-X.Y /var/db/openldap-data > if slapd fails to start. I run OpenLDAP on a few boxes. I don't recall the power failures or rude shutdowns to ever give me problems... Course, I don't have anything hi-traffic, so I would definately have time for softupdates to flush to disk before a crash is inevitable. I've marked this thread, it's been useful already with the '[unavail=continue notfound=continue]' pieces after the ldap dictionary in nsswitch.conf Now I have another command, db_recover > It wouldn't be so bad if it logged anything, but even with full logging > it gives a very cryptic message and if you have logging disabled (which > is recommended for performance!) it won't say _anything_. To have OpenLDAP logging, you have to insert local4.* statements in syslog.conf, touch the given file, and restart syslog. Any logging that OpenLDAP would need to send, is then recorded in syslog. Why they picked 4, of 1 through 7, I'm not sure. I'd help you with that, if you'd like. > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >