Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins work

On Monday 06 March 2006 15:44, you wrote:

> Note:  for some earlier versions of PAM, the only solution that I am
> aware of to login as root, you must restart in single user mode.  I
> do not recall in what version this was changed

I've recently "fixed" this for some of my machines by re-compiling 
pam_ldap.  The default timeout is too long.  This means no data on the 
tty, and the connection is closed.

The problem is that the timeout is very long, and it gets hit multiple 
times (/bin/login to log in, /bin/sh to figure out who you are, /bin/sh 
to find your groups, /etc/profile does it a few more times, etc.)

On a recent version of pam_ldap, you can edit ldap-nss.h, change 
LDAP_NSS_TRIES, LDAP_NSS_SLEEPTIME, LDAP_NSS_MAXSLEEPTIME, 
LDAP_NSS_MAXCONNTRIES to something more suitable.  I suggest 
SLEEPTIME=2 and MAXSLEEPTIME=8.  Depends on your network, of course, 
and if the backup machines are local.

You'll still need to wait 30 seconds or so to log in, but you'll be able 
to.


I hope this helps,
Berend

-- 
Confidentiality notice: http://ucs.co.za/conf.html