Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Mar 2008 15:24:12 +0300
From:      Dmitriy Kirhlarov <dimma@higis.ru>
To:        Daniel Bond <db@danielbond.org>
Cc:        freebsd-stable@freebsd.org, ohartman@zedat.fu-berlin.de, Valerio Daelli <valerio.daelli@gmail.com>
Subject:   Re: [Working fix] Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0
Message-ID:  <47E105EC.3080005@higis.ru>
In-Reply-To: <47E0FD88.4080207@danielbond.org>
References:  <47DE9638.6080609@danielbond.org> <47DF8F10.8080200@higis.ru> <47E0FD88.4080207@danielbond.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Daniel Bond wrote:

> |> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
> |> /usr/local/etc/ldap.conf -> openldap/ldap.conf
> |
> | I'm not sure is it correct.
> | etc/ldap.conf and etc/openldap/ldap.conf -- different files for
> | different purposes.
> | etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.
> |
> 
> The ldap.conf file is only used for nss_ldap and pam_ldap, so I don't
> suppose it really matters where the config-file resides.

etc/ldap.conf can be used by sudo, for example.
etc/openldap/ldap.conf -- library config.

> You are absolutely correct, when I change *bind_policy* to *hard*, the
> problem goes away, nss_ldap stops whining about contacting server in
> /var/log/auth.log. SSH with pubkey-exchange or password authentication
> also works with bind_policy hard.

Ok. Next.
I'm sorry, but this solution little dangerous.
When your ldap server unreachable, nss_ldap trying to connect again and 
again and doesn't switched to next method, described in /etc/nsswitch.conf.

For example, if your computer must get IP over dhcpd, OS need uid for 
dhclient and ask it from nss_ldap, but nss_ldap can't connect to ldap 
server, because computer doesn't have IP address.

When you are using bind_policy hard, you also need tune bind_timelimit 
and idle_timelimit in ldap.conf and use "files [Status=Action] ldap" in 
/etc/nsswitch.conf, where Status and Action must be choosen.

> Allthough it would be nice to have "bind_policy soft" working properly

Yes. It's realy fine option, but I don't sure about source of problem 
(OS version or nss_ldap) and doesn't know, how to debug this issue.

WBR.
Dmitriy

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47E105EC.3080005>