Using [Open]LDAP for authentication
Dominique Goncalves
dominique.goncalves at gmail.com
Thu Jan 19 23:41:44 PST 2006
Hi,
On 1/20/06, Daniel O'Connor <doconnor at gsoft.com.au> wrote:
> Hi,
> I use OpenLDAP for authentication in conjunction with nss_ldap and pam_ldap
> (and samba). I use the RCORDER port option so it put the startup file
> in /etc/rc.d.
>
> In 5.4 this worked fine - it started up correctly and in the right place.
> However I upgraded to 6.0-STABLE (11/12/05) and when I ran mergemaster I
> accidentally told it to delete the rc.d file (doh..) I then upgraded to a
> slightly later version of openldap (a newer version of openldap23-server).
>
> The problem now is that OpenLDAP appears to start very late, since lots of
> things need to do nss_ldap lookups it means bootup is very glacial as they
> timeout.
>
> In the end I hacked up /etc/rc.d/SERVERS to require slapd and took the SERVERS
> requirement out of /etc/rc.d/slapd
>
> I wonder if there should be another dummy rc.d file which marks where services
> that supply passwd/group/etc information are available and then SERVERS can
> depend on that (because a lot of servers need to be able to change to another
> user ID after starting).
>
> Then again maybe my nsswitch.conf is broken as I have..
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
>
> Maybe I should swap files and ldap around.. Hmm I'll try that and see :)
>
> Even if that does fix it, I think it would be good to be able to run OpenLDAP
> as early as practical.
I've reported recently a problem with the same symptoms [1] but I use
this order in my nsswitch.conf "files ldap".
All exemples I found on internet use this order. And if I understand
correctly, this order means, if a user is not found in files then it
tries on ldap?
[1] http://lists.freebsd.org/pipermail/freebsd-questions/2006-January/110581.html
> --
> Daniel O'Connor software and network engineer
> for Genesis Software - http://www.gsoft.com.au
> "The nice thing about standards is that there
> are so many of them to choose from."
> -- Andrew Tanenbaum
> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
>
>
>
regards.
--
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
More information about the freebsd-stable
mailing list