On Wed, 2008-08-27 at 18:19 -0400, Stephen Harris wrote: > On Wed, Aug 27, 2008 at 05:07:26PM -0400, Mark Hennessy wrote: > > With networking, no trouble at all, but with those timeouts of 30 > > seconds and without those changes to nsswitch.conf, it takes a while > > for the first root login to succeed even though it is using local auth. > > If you have ldap groups and the ldap server isn't reachable then logins > _can_ take a long time (depending on why the ldap server isn't reachable; > if a "telnet ldapserver ldap" returns immediately then it shouldn't) because > a login has to go through _every_ group to determine if you're in the > group or not. > > It doesn't do a "getent group blah" it does the equivalent of > while (getgrent()) > { > } > which means it tries to parse the whole local _and_ ldap group entries. > > It needs to do this to get your secondary group list. > > Even root would need to do this. ---- that's why I suggested the changes to /etc/ldap.conf to time limit and to tell it not to bother with certain users Craig _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos