[Working fix] Problems combining nss_ldap/pam_ldap with
pam_mkhomedir in FreeBSD 7.0
Dmitriy Kirhlarov
dimma at higis.ru
Wed Mar 19 05:24:15 PDT 2008
Daniel Bond wrote:
> |> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
> |> /usr/local/etc/ldap.conf -> openldap/ldap.conf
> |
> | I'm not sure is it correct.
> | etc/ldap.conf and etc/openldap/ldap.conf -- different files for
> | different purposes.
> | etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.
> |
>
> The ldap.conf file is only used for nss_ldap and pam_ldap, so I don't
> suppose it really matters where the config-file resides.
etc/ldap.conf can be used by sudo, for example.
etc/openldap/ldap.conf -- library config.
> You are absolutely correct, when I change *bind_policy* to *hard*, the
> problem goes away, nss_ldap stops whining about contacting server in
> /var/log/auth.log. SSH with pubkey-exchange or password authentication
> also works with bind_policy hard.
Ok. Next.
I'm sorry, but this solution little dangerous.
When your ldap server unreachable, nss_ldap trying to connect again and
again and doesn't switched to next method, described in /etc/nsswitch.conf.
For example, if your computer must get IP over dhcpd, OS need uid for
dhclient and ask it from nss_ldap, but nss_ldap can't connect to ldap
server, because computer doesn't have IP address.
When you are using bind_policy hard, you also need tune bind_timelimit
and idle_timelimit in ldap.conf and use "files [Status=Action] ldap" in
/etc/nsswitch.conf, where Status and Action must be choosen.
> Allthough it would be nice to have "bind_policy soft" working properly
Yes. It's realy fine option, but I don't sure about source of problem
(OS version or nss_ldap) and doesn't know, how to debug this issue.
WBR.
Dmitriy
More information about the freebsd-stable
mailing list