how to make nss_ldap stop complaining about unreachable servers?

Christopher J. Ruwe cjr at
Thu Feb 20 13:48:10 UTC 2014

Hash: SHA512

For educational purposes, I have set up my systems to use an MIT
Kerberos V server for authentication. Authorization (to this moment
only the passwd and group DB) is served by an OpenLDAP server.

The logic is that if a user is present locally (/etc/passwd), this
should take precendence over networked authentication and
authorization. The reason is that I do not want to wait for timeouts
when disconnected from my local network on my notebooks. Only if local
auths (both) fail, networked auths via krb5 and LDAP should kick in.

My authentication setting in /etc/pam.d/system is

auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient             no_warn try_first_pass
auth            sufficient             no_warn try_first_pass
auth            required             no_warn try_first_pass nullok

Doubling pam_unix is done so that even if a local user exists and
would take precedence, I still get Kerberos tickets for SSO.

The rest of /etc/pam.d/system is left untouched, I want Kerberos for
authentication only.

In /etc/nsswitch.conf, I have conigured the passwd and group databases
to rely on files and ldap in that order.

group: files ldap
passwd: files ldap

I have configured nss_ldap to use my LDAP server, set timelimit and
bind_timelimit low ("2") and bind_policy to "soft" and set 
nss_connect_policy to "oneshot".

Everything works fine, _except_ that when disconnected, nearly every
service on my system is bugging me with for instance "cron[1394]:
nss_ldap: could not search LDAP server - Server is unavailable", which
bloats my logs.

How can I make nss_ldap to be less verbose? From nss_ldap(5), I gather
that there is no setting in nss_ldap.conf:

 debug <level>
   Specifies  the  debug  level used for logging by the LDAP client
   library. This feature is not supported by all client  libraries,
   and  does  not  apply to the nss_ldap and pam_ldap modules them-
   selves (debugging, if any, is configured separately and  usually
   at compile time).

Thanks and cheers,
- -- 
TZ:         GMT + 1h
GnuPG/GPG:  0xE8DE2C14
FreeBSD 9.2-STABLE #1 r256184: Thu Oct 10 19:12:54 CEST 2013
cjr at 
Punctuation matters:
"Lets eat Grandma." or "Lets eat, Grandma." - Punctuation saves lives.
"A panda eats shoots and leaves." or "A panda eats, shoots, and
leaves." - Punctuation teaches proper biology.

"With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead." (RFC 1925)
Version: GnuPG v2.0.22 (FreeBSD)


More information about the freebsd-questions mailing list