I just want to add that our SUSE 10 clients do not have this problem at all.
Interesting!
Do you know what versions of pam_ldap and nss_ldap are used on those
clients?
Hai Wu wrote:
I just want to add that our SUSE 10 clients do not have this problem at all.
On 9/11/07, George Holbert <gholbert@xxxxxxxxxxxx> wrote:
Thanks for your quick reply, it is hard to believe Redhat's Fedora DS
has such problem on their OS.
Actually this is more related to the pam and nss_ldap libraries from
PADL, which RedHat (and pretty much everyone else) bundles with their Linux.
It's unlikely that recent improvements to PADL's software will show up
in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat.
Hai Wu wrote:
Thanks for your quick reply, it is hard to believe Redhat's Fedora DS
has such problem on their OS.
I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the
delay to an acceptable(but still noticeable) level, I think we will
do this if there is no side effect to have such a small
bind_timelimit. In the meaning time, I will stick to my
taking-primary-IP workaround which reduces the delay to zero.
On 9/11/07, George Holbert <gholbert@xxxxxxxxxxxx> wrote:
This is just the way it is with pam/nss_ldap as bundled in RHEL3 and
RHEL4. There is no easy fix.
If you like, you can reduce bind_timelimit to something very small. But
this still isn't much of a solution, since clients will definitely
notice when the primary is down.
It's possible that newer versions of pam/nss_ldap handle failover more
elegantly (I've seen notes to this effect in their Changelog). I
haven't tested this myself yet.
Another possibility is to put some kind of load balancer in front of
your LDAP servers, which hides from clients the failure of any
individual LDAP server.
Hai Wu wrote:
Hi,
We are using fedora 1.0.4, When the first ldap server dies and does not ping,
the clients can still bind to second server but it is very slow to do
anything on clients, opening a terminal or listing a dir takes a few
seconds. I find when ldap service is down on the first server but
server it still up and pingable, there is no delay on clients at all,
so I have the workaround to set up a eth0:0 on second ldap server(or
any other machine) to assume the IP of the first ldap server when
first ldap server does not ping.
Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have
only Rhel 3 and 4 clients. Any idea how to fix this?
Thanks
Mark
/etc/ldap.conf
host 1.1.1.1 2.2.2.2
port 636
ldap_version 3
base o=unix,dc=company,dc=com
scope sub
timelimit 5
bind_timelimit 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
idle_timelimit 3600
/etc/openldap/ldap.conf
BASE o=unix,dc=company,dc=com
HOST 1.1.1.1 2.2.2.2
PORT 636
SIZELIMIT 0
TIMELIMIT 0
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
