|
|
Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins wo: msg#00005ldap.padl.nss
On Tuesday 07 March 2006 13:44, Buchan Milne wrote: > On Tuesday 07 March 2006 10:04, Berend De Schouwer wrote: > > On Monday 06 March 2006 15:44, you wrote: > > > Note: for some earlier versions of PAM, the only solution that I > > > am aware of to login as root, you must restart in single user > > > mode. I do not recall in what version this was changed > > > > I've recently "fixed" this for some of my machines by re-compiling > > pam_ldap. The default timeout is too long. This means no data on > > the tty, and the connection is closed. > > Why rebuild? Just set: > > timelimit 5 > bind_timelimit 5 >From the man page: (under bind_policy) All "hard" reconnect policies block with exponential backoff before retrying. At present the backoff parameters are configurable at compile time only. That's why! > Surely this is nss_ldap only, and on recent version of nss_ldap > (somewhere around 240 and later), use the same as above for pam_ldap, > *but* you must also use: That is correct. My mistake. The timeout problem is with nss_ldap, not pam_ldap. The timeout is caused because although I log in, everything after that (getuid(), getpwent(), etc. takes too long.) > bind_policy soft bind_policy soft does not work for me. I tested it, because it looked like a solution. I can't remember the exact details, but I'll try: If you have multiple hosts specified, and one works, nss_ldap binds to that. If that server goes down, and bind_policy is soft, it does not try the others -- it just assumes the server is down, and that's it. I've got more than one LDAP server. I want it to use more than one, and only stop warning when all three stop responding (network down.) I have to use bind_policy hard. > In most cases, I don't think changing the definitions in ldap-nss.h > should be necessary. I agree. The defaults in ldap-nss.h should be such that the login process does not timeout. > Regards, > Buchan Regards, Berend -- Confidentiality notice: http://ucs.co.za/conf.html |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins work: 00005, Buchan Milne |
|---|---|
| Next by Date: | Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins work: 00005, Buchan Milne |
| Previous by Thread: | Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins worki: 00005, Buchan Milne |
| Next by Thread: | Re: RE: [pamldap] if ldap server is down - no ssh prompt or local logins work: 00005, Buchan Milne |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |