> > I just want to add that our SUSE 10 clients do not have this problem at all. Interesting! Do you know what versions of pam_ldap and nss_ldap are used on those clients? Hai Wu wrote: > I just want to add that our SUSE 10 clients do not have this problem at all. > > On 9/11/07, George Holbert <gholbert at broadcom.com> wrote: > >>> Thanks for your quick reply, it is hard to believe Redhat's Fedora DS >>> has such problem on their OS. >>> >> Actually this is more related to the pam and nss_ldap libraries from >> PADL, which RedHat (and pretty much everyone else) bundles with their Linux. >> It's unlikely that recent improvements to PADL's software will show up >> in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. >> >> >> Hai Wu wrote: >> >>> Thanks for your quick reply, it is hard to believe Redhat's Fedora DS >>> has such problem on their OS. >>> I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the >>> delay to an acceptable(but still noticeable) level, I think we will >>> do this if there is no side effect to have such a small >>> bind_timelimit. In the meaning time, I will stick to my >>> taking-primary-IP workaround which reduces the delay to zero. >>> >>> On 9/11/07, George Holbert <gholbert at broadcom.com> wrote: >>> >>> >>>> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and >>>> RHEL4. There is no easy fix. >>>> If you like, you can reduce bind_timelimit to something very small. But >>>> this still isn't much of a solution, since clients will definitely >>>> notice when the primary is down. >>>> It's possible that newer versions of pam/nss_ldap handle failover more >>>> elegantly (I've seen notes to this effect in their Changelog). I >>>> haven't tested this myself yet. >>>> Another possibility is to put some kind of load balancer in front of >>>> your LDAP servers, which hides from clients the failure of any >>>> individual LDAP server. >>>> >>>> >>>> Hai Wu wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> We are using fedora 1.0.4, When the first ldap server dies and does not ping, >>>>> the clients can still bind to second server but it is very slow to do >>>>> anything on clients, opening a terminal or listing a dir takes a few >>>>> seconds. I find when ldap service is down on the first server but >>>>> server it still up and pingable, there is no delay on clients at all, >>>>> so I have the workaround to set up a eth0:0 on second ldap server(or >>>>> any other machine) to assume the IP of the first ldap server when >>>>> first ldap server does not ping. >>>>> >>>>> Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have >>>>> only Rhel 3 and 4 clients. Any idea how to fix this? >>>>> >>>>> Thanks >>>>> Mark >>>>> >>>>> /etc/ldap.conf >>>>> host 1.1.1.1 2.2.2.2 >>>>> port 636 >>>>> ldap_version 3 >>>>> base o=unix,dc=company,dc=com >>>>> scope sub >>>>> timelimit 5 >>>>> bind_timelimit 3 >>>>> pam_filter objectclass=posixAccount >>>>> pam_login_attribute uid >>>>> pam_member_attribute memberUid >>>>> pam_password crypt >>>>> idle_timelimit 3600 >>>>> >>>>> /etc/openldap/ldap.conf >>>>> BASE o=unix,dc=company,dc=com >>>>> HOST 1.1.1.1 2.2.2.2 >>>>> PORT 636 >>>>> >>>>> SIZELIMIT 0 >>>>> TIMELIMIT 0 >>>>> >>>>>
