This is just the way it is with pam/nss_ldap as bundled in RHEL3 and RHEL4. There is no easy fix. If you like, you can reduce bind_timelimit to something very small. But this still isn't much of a solution, since clients will definitely notice when the primary is down. It's possible that newer versions of pam/nss_ldap handle failover more elegantly (I've seen notes to this effect in their Changelog). I haven't tested this myself yet. Another possibility is to put some kind of load balancer in front of your LDAP servers, which hides from clients the failure of any individual LDAP server. Hai Wu wrote: > Hi, > > We are using fedora 1.0.4, When the first ldap server dies and does not ping, > the clients can still bind to second server but it is very slow to do > anything on clients, opening a terminal or listing a dir takes a few > seconds. I find when ldap service is down on the first server but > server it still up and pingable, there is no delay on clients at all, > so I have the workaround to set up a eth0:0 on second ldap server(or > any other machine) to assume the IP of the first ldap server when > first ldap server does not ping. > > Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have > only Rhel 3 and 4 clients. Any idea how to fix this? > > Thanks > Mark > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST 1.1.1.1 2.2.2.2 > PORT 636 > > SIZELIMIT 0 > TIMELIMIT 0 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
