[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Issue with nsswitch.conf and LDAP

I've seen a problem that I've heard others have too concerning
nsswitch.conf and ldap in woody atleast, haven't tried others.

The problem is that in configurations where files are to be checked
before ldap, it still looks for the ldap server. This causes a delay in
login. That it is a problem with ldap can easily be proven by removing
the ldap entries in nsswitch.conf
With a slight misconfiguration, it is easy to reach the defualt 60
second timeout in login.defs
I don't have that timeout (anymore) but I'm still curious of why I'm
getting a delay at all.

The only fancy lines in nsswitch.conf are:
passwd:         files ldap
group:          files ldap
shadow:         files ldap

The could also be read as:
passwd:         files [SUCCESS=return] ldap [UNAVAIL=return]
group:          files [SUCCESS=return] ldap [UNAVAIL=return]
shadow:         files [SUCCESS=return] ldap [UNAVAIL=return]

Which is the default behaviour, or should be. Now even if the ldap
server is errenously specified in every single config file, local logins
should be possible without nsswitch even trying to contact the ldap
server right?
That doesn't appear to be the case. I've even tried to set timeouts in
ldap.conf, libnss-ldap.conf and pam_ldap.conf, It doesn't help.

auth    requisite       pam_securetty.so
auth    requisite       pam_nologin.so
auth    required        pam_env.so
auth    sufficient      pam_unix.so likeauth nullok
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

account sufficient      pam_unix.so
account sufficient      pam_ldap.so
account required        pam_deny.so

session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv

password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so


Reply to: