LDAP server gone -> impossible to login locally!

Daniel O'Connor doconnor at gsoft.com.au
Wed Sep 23 01:34:45 UTC 2009


On Wed, 23 Sep 2009, Erik Norgaard wrote:
> This sounds like the correct solution, AFAIK it's the same concept as
> for NIS, first check local files, then ldap. You don't want your root
> credentials possibly be leaked accross the network. On the other hand
> you don't want or need user accounts in the local files.
>
> Default first check local files which is fast, then fall back on ldap
> if the user is not found.

Actually I wrote them the wrong way, how odd!
I actually have..
group: cache ldap files
passwd: cache ldap files

I think that if it fails ldap, it does so very quickly - it certainly 
did this morning when I rebooted uncleanly.

I believe I did try it as "cache files ldap" but I had some issues, I 
can't recall what they were though. I had quite a bit of difficulty 
getting it to work acceptably so when it did I left it alone :)

On a related note, why is slapd so damn fragile? It's a righteous pain 
in the bum the way you have to run db_recover-X.Y /var/db/openldap-data 
if slapd fails to start.

It wouldn't be so bad if it logged anything, but even with full logging 
it gives a very cryptic message and if you have logging disabled (which 
is recommended for performance!) it won't say _anything_.

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20090923/65e00b28/attachment.pgp


More information about the freebsd-current mailing list