nsswitch and unavailable backends
Eugene M. Zheganin
emz at norma.perm.ru
Mon Mar 5 12:07:33 UTC 2012
I'm trying to set up LDAP user authentication. I use bet/nss_ldap and
security/pam_ldap ports to do this.
I'm doing this following the article from the documentation set. Though
it's not that complete and misses some very important stuff, I've
actually set up the LDAP installations and my users are able to
successfully authenticate and log in on my servers.
Then I ran into some serious issue. :) When the LDAP server if
off/unavailable, users cannot log in - I mean, even the local users.
group: files ldap
hosts: files dns
passwd: files ldap
If I remove ldap - all is fine, of course, besides the fact that this
breaks the LDAP authentication.
I've read the nsswitch manual and saw that I can handle the unavailable
LDAP server with some action flags, but the default action is 'continue'
already. I also tried the [notfound=return unavail=return
tryagain=return] mantra (it's harmless to try since it's the last
backup) but this didn't work either.
sshd crashes with signal 11, crond does the same. Sad.
On a machine running LDAP server the situation is even funnier: the LDAP
server, even having a local account to work under, still tries to query
himself on start, making the startup impossible.
Can this situation be solved ?
Right now I remove 'ldap' backend, start the slapd, add ldap backends
again and so on.
More information about the freebsd-questions