Issue with nsswitch.conf and LDAP
I've seen a problem that I've heard others have too concerning
nsswitch.conf and ldap in woody atleast, haven't tried others.
The problem is that in configurations where files are to be checked
before ldap, it still looks for the ldap server. This causes a delay in
login. That it is a problem with ldap can easily be proven by removing
the ldap entries in nsswitch.conf
With a slight misconfiguration, it is easy to reach the defualt 60
second timeout in login.defs
I don't have that timeout (anymore) but I'm still curious of why I'm
getting a delay at all.
The only fancy lines in nsswitch.conf are:
passwd: files ldap
group: files ldap
shadow: files ldap
The could also be read as:
passwd: files [SUCCESS=return] ldap [UNAVAIL=return]
group: files [SUCCESS=return] ldap [UNAVAIL=return]
shadow: files [SUCCESS=return] ldap [UNAVAIL=return]
Which is the default behaviour, or should be. Now even if the ldap
server is errenously specified in every single config file, local logins
should be possible without nsswitch even trying to contact the ldap
server right?
That doesn't appear to be the case. I've even tried to set timeouts in
ldap.conf, libnss-ldap.conf and pam_ldap.conf, It doesn't help.
pam.d/login:
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
Alex
Reply to: