Using [Open]LDAP for authentication
Brooks Davis
brooks at one-eyed-alien.net
Fri Jan 20 09:00:39 PST 2006
On Fri, Jan 20, 2006 at 11:30:10AM +1030, Daniel O'Connor wrote:
> Hi,
> I use OpenLDAP for authentication in conjunction with nss_ldap and pam_ldap
> (and samba). I use the RCORDER port option so it put the startup file
> in /etc/rc.d.
>
> In 5.4 this worked fine - it started up correctly and in the right place.
> However I upgraded to 6.0-STABLE (11/12/05) and when I ran mergemaster I
> accidentally told it to delete the rc.d file (doh..) I then upgraded to a
> slightly later version of openldap (a newer version of openldap23-server).
>
> The problem now is that OpenLDAP appears to start very late, since lots of
> things need to do nss_ldap lookups it means bootup is very glacial as they
> timeout.
>
> In the end I hacked up /etc/rc.d/SERVERS to require slapd and took the SERVERS
> requirement out of /etc/rc.d/slapd
>
> I wonder if there should be another dummy rc.d file which marks where services
> that supply passwd/group/etc information are available and then SERVERS can
> depend on that (because a lot of servers need to be able to change to another
> user ID after starting).
>
> Then again maybe my nsswitch.conf is broken as I have..
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
>
> Maybe I should swap files and ldap around.. Hmm I'll try that and see :)
>
> Even if that does fix it, I think it would be good to be able to run OpenLDAP
> as early as practical.
Files should definitly come first and services that start before DAEMON,
and possily before LOGIN should really have their necessicary users and
groups in local files. Nothing that requires user accounts or performs
actions on behalf of users should start before LOGIN.
-- Brooks
--
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060120/c42bd377/attachment.bin
More information about the freebsd-stable
mailing list