Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins work

On Tuesday 07 March 2006 10:04, Berend De Schouwer wrote:
> On Monday 06 March 2006 15:44, you wrote:
> > Note:  for some earlier versions of PAM, the only solution that I am
> > aware of to login as root, you must restart in single user mode.  I
> > do not recall in what version this was changed
>
> I've recently "fixed" this for some of my machines by re-compiling
> pam_ldap.  The default timeout is too long.  This means no data on the
> tty, and the connection is closed.

Why rebuild? Just set:

timelimit 5
bind_timelimit 5

> The problem is that the timeout is very long, and it gets hit multiple
> times (/bin/login to log in, /bin/sh to figure out who you are, /bin/sh
> to find your groups, /etc/profile does it a few more times, etc.)
>
> On a recent version of pam_ldap, you can edit ldap-nss.h, change
> LDAP_NSS_TRIES, LDAP_NSS_SLEEPTIME, LDAP_NSS_MAXSLEEPTIME,
> LDAP_NSS_MAXCONNTRIES to something more suitable.  I suggest
> SLEEPTIME=2 and MAXSLEEPTIME=8.  Depends on your network, of course,
> and if the backup machines are local.

Surely this is nss_ldap only, and on recent version of nss_ldap (somewhere 
around 240 and later), use the same as above for pam_ldap, *but* you must 
also use:

bind_policy soft

In most cases, I don't think changing the definitions in ldap-nss.h should be 
necessary.

Regards,
Buchan


-- 
Buchan Milne
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

pgpXgOtqqroCw.pgp
Description: PGP signature