how to make nss_ldap stop complaining about unreachable servers?

Christopher J. Ruwe cjr at cruwe.de
Thu Feb 20 13:48:10 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

For educational purposes, I have set up my systems to use an MIT
Kerberos V server for authentication. Authorization (to this moment
only the passwd and group DB) is served by an OpenLDAP server.

The logic is that if a user is present locally (/etc/passwd), this
should take precendence over networked authentication and
authorization. The reason is that I do not want to wait for timeouts
when disconnected from my local network on my notebooks. Only if local
auths (both) fail, networked auths via krb5 and LDAP should kick in.

My authentication setting in /etc/pam.d/system is

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_unix.so             no_warn try_first_pass
auth            sufficient      pam_krb5.so             no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

Doubling pam_unix is done so that even if a local user exists and
would take precedence, I still get Kerberos tickets for SSO.

The rest of /etc/pam.d/system is left untouched, I want Kerberos for
authentication only.

In /etc/nsswitch.conf, I have conigured the passwd and group databases
to rely on files and ldap in that order.

group: files ldap
passwd: files ldap

I have configured nss_ldap to use my LDAP server, set timelimit and
bind_timelimit low ("2") and bind_policy to "soft" and set 
nss_connect_policy to "oneshot".

Everything works fine, _except_ that when disconnected, nearly every
service on my system is bugging me with for instance "cron[1394]:
nss_ldap: could not search LDAP server - Server is unavailable", which
bloats my logs.

How can I make nss_ldap to be less verbose? From nss_ldap(5), I gather
that there is no setting in nss_ldap.conf:

 debug <level>
   Specifies  the  debug  level used for logging by the LDAP client
   library. This feature is not supported by all client  libraries,
   and  does  not  apply to the nss_ldap and pam_ldap modules them-
   selves (debugging, if any, is configured separately and  usually
   at compile time).

Thanks and cheers,
- -- 
Christopher 
TZ:         GMT + 1h
GnuPG/GPG:  0xE8DE2C14
 
FreeBSD 9.2-STABLE #1 r256184: Thu Oct 10 19:12:54 CEST 2013
cjr at dijkstra.cruwe.de:/usr/obj/usr/home/cjr/media/src/freebsd/base/stable/9/sys/GEN_WDTRACE 
  
Punctuation matters:
"Lets eat Grandma." or "Lets eat, Grandma." - Punctuation saves lives.
"A panda eats shoots and leaves." or "A panda eats, shoots, and
leaves." - Punctuation teaches proper biology.

"With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead." (RFC 1925)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTBgePAAoJEJTIKW/o3iwUpuIP/2PzA5/YvbI5yB7Vf6PIAaUt
vi88qD/PaBJ7XoveENWj7S6h6QlKNRlT4vugyKf443aQHVOZDoRrNXrCMJ4T2Omu
OZpf3iqJ4Kyk2G3lQuBnsN/U30D5NT0NfEJbYKpWUk16Xd1ee+DU8jE/QOfRjqo9
yZjif3e4F5b6qSPy42iceWfvUl+YrCxZUUpHPnLu78HgK32l7o5281fEZtxXHRXj
gvMJTp2mb1MTEphEqwp24pKFxsOWZ1bFWXWdeGaa03DyY8xZ5c5OQYmx4Bnrb5u3
j07yHjeXc90ttdnBAQ+sfuUq8cx8VymPNgytCrJZrPe0SbE5rY3w0m+u+3Wigf0V
BgvoxGOtNRAXh/rP2badjoZiNYUeiyJYNB9nmq5T5FTC4G5h4yh1oqiW87Q+2/lg
DwXLFC8bKImGLQ+XmWjk9I0vb3EMHKmdmkL2OlgVOD+zU+u3gHzl14TqzLgaK522
xVc8OvT5mX6DSaKPkevmxg+DsOtSe4xNRqz+rH2E9jlpXOEqhdBQjIAJ4DZ4n1oz
9pFkrlSrRC84x4lh5nDYbJSzGTCTXYx9SiHlyvlSw0OEHvNowQ844ULTujiKcDB/
WYMYnnOKCdyqcCAaZ53EuAUTixGeLiII+MxhwXjqGdW4SMMHTSf3IjbNt1aEMd8G
uJV53B5rDCrHP3qr96b9
=8wpH
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list