nss_ldap and OpenLDAP client version

Ansar Mohammed ansarm at gmail.com
Sat Jun 10 01:14:16 UTC 2006

One of the more "undocumented" things here is to make sure that in your
/usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. 

If not, you will have no end of problems if you ldap server goes down. 

Basically if you have in your nsswitch.conf:

Passwd: files ldap
Group: files ldap

If your ldap server is down; nss_ldap keeps trying to reconnect and allot of
apps just hang; (like top, ls -la etc)

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org [mailto:owner-freebsd-
> questions at freebsd.org] On Behalf Of Joe Shevland
> Sent: May 25, 2006 3:33 AM
> To: freebsd-questions at freebsd.org
> Subject: nss_ldap and OpenLDAP client version
> Hi,
> I'm about to setup my jails so they authenticate against the 'host'
> server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this
> before but wanted to repeat the process because last time it ended up
> being so much fiddling that when I finished I just left it alone - this
> time I'm documenting it :) I packaged up versions of the port for
> OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any
> case) and then went to package up the nss_ldap port but its after
> OpenLDAP 2.2 stuff... I guess my question is whether this is intentional
> (i.e. security related), or just a port maintenance issue? I would've
> thought between 2.2->2.3 there's been a few security advisories... I
> only did a lazy lightning google and came across a few
> (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one.
> Anyway, just thought I'd check. As punishment, if this is a stupid
> question or has been answered before, happy to write up a tutorial as I
> go as penance.
> Cheers
> Joe
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list