From owner-freebsd-current@FreeBSD.ORG Tue Sep 22 13:05:51 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F744106566B for ; Tue, 22 Sep 2009 13:05:51 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id 936F88FC12 for ; Tue, 22 Sep 2009 13:05:50 +0000 (UTC) Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au [172.25.24.168]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n8MD5fpT094975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 22 Sep 2009 23:05:41 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1253624741; bh=O057t5De6bktkOsR323ZDBok8lvkeala1Nfdr3VxzjI=; h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version: Content-Type:In-Reply-To; b=0fiIKxqdVcAguatcqpHyQhgpoDPNvNLLHPvamYmRI7cwg+V+Wx2bD3CkTnnopkv54 z1lmQeN61Bx6n4GJF9wyYU8CLFJeTpGKHxdoCGT6dZabW4yR5kUc4rcBLyHFcatKht esJnt63rMQxqntw9mhtnMQUyHeYPZV6Nyprv1BpM= Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1]) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n8MD5eg4009471; Tue, 22 Sep 2009 23:05:40 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id n8MD5e0i009470; Tue, 22 Sep 2009 23:05:40 +1000 (AEST) (envelope-from john) Date: Tue, 22 Sep 2009 23:05:40 +1000 From: John Marshall To: "O. Hartmann" Message-ID: <20090922130540.GI1001@rwpc12.mby.riverwillow.net.au> Mail-Followup-To: "O. Hartmann" , freebsd-questions@freebsd.org, freebsd-current@freebsd.org References: <4AB8BAA9.1060100@zedat.fu-berlin.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vJguvTgX93MxBIIe" Content-Disposition: inline In-Reply-To: <4AB8BAA9.1060100@zedat.fu-berlin.de> User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc Cc: freebsd-current@freebsd.org, freebsd-questions@freebsd.org Subject: Re: LDAP server gone -> impossible to login locally! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 13:05:51 -0000 --vJguvTgX93MxBIIe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 22 Sep 2009, 11:53 +0000, O. Hartmann wrote: > Hello, >=20 > I run into trouble with FreeBSD and LDAP on a regular basis! >=20 > Sometimes it is necessary to log in onto a bunch of servers with no LDAP= =20 > service responding, due to service, crash, eletrically disconnetion,=20 > whatever. The problem is: I can't. > Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most=20 > recent) my /etc/nsswitch.conf looks like this as it has been the most=20 > reasonable (and only working!) solution for the past 2 years: >=20 > passwd: ldap [unavail=3Dcontinue notfound=3Dcontinue] files [success=3Dre= turn=20 > notfound=3Dreturn] >=20 > The same for group. Intention is to have root- or wheel-group access of= =20 > local managed service users without timeouts due to irresponsible LDAP=20 > servers. But it does not work! > If the LDAP service is not available, FreeBSD 8.0/AMD64-RC1 (most recent= =20 > source/build) does nothing for approx. 120 seconds and sometimes much=20 > longer when trying to login as root from console. In some cases, the=20 > same box under the very same conditions refuses login due to a timeout,= =20 > very strange. >=20 > After a couple of time and lots of questiosn, the above showed=20 > nsswitch.conf entries were evaluated as those which should work, but=20 > exchanging 'ldap' and 'files' results in a never-can-login-situation,=20 > when LDAP isn't responsible. >=20 > Is there a way to shorten the timeouts and if yes, where to look for? 2= =20 > minutes for a login within services sessions is too much, a waste of=20 > time. Our network is very fast, so 30 seconds should be enough ... I've only recently started playing with LDAP but it sounds to me like you probably have one of the 'hard' options set for the reconnect policy in your nss_ldap.conf file. I use 'bind_policy soft' so that if the LDAP server isn't available we fail over to the next nsswitch service immediately. I don't think further discussion of this thread belongs on the freebsd-current list. Hope this helps. --=20 John Marshall --vJguvTgX93MxBIIe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkq4y6QACgkQw/tAaKKahKLk2ACfYa/+id8OR5tFT9L0cN1wcCt5 EDgAoLxRCNZkRnQpKNI9kcrO+HMUdQds =UQVs -----END PGP SIGNATURE----- --vJguvTgX93MxBIIe--