Re: nsswitch.conf, ldap, local groups problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 2008-08-27 at 18:19 -0400, Stephen Harris wrote:
> On Wed, Aug 27, 2008 at 05:07:26PM -0400, Mark Hennessy wrote:
> > With networking, no trouble at all, but with those timeouts of 30  
> > seconds and without those changes to nsswitch.conf, it takes a while  
> > for the first root login to succeed even though it is using local auth.
> 
> If you have ldap groups and the ldap server isn't reachable then logins
> _can_ take a long time (depending on why the ldap server isn't reachable;
> if a "telnet ldapserver ldap" returns immediately then it shouldn't) because
> a login has to go through _every_ group to determine if you're in the
> group or not.
> 
> It doesn't do a "getent group blah" it does the equivalent of
>   while (getgrent())
>   {
>   }
> which means it tries to parse the whole local _and_ ldap group entries.
> 
> It needs to do this to get your secondary group list.
> 
> Even root would need to do this.
----
that's why I suggested the changes to /etc/ldap.conf to time limit and
to tell it not to bother with certain users

Craig

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux