Tom Lanyon wrote:
> On 05/02/2010, at 3:16 AM, Sean Carolan wrote:
>
>
>>> What is listed in your /etc/nsswitch.conf for passwd, shadow and group?
>>>
>> Here's what I have on one of the clients:
>>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>>
>>
>>> If you do not have an entry for 'files' then the local /etc/{passwd,shadow,group} files will not be searched.
>>>
>> Should it not try "files" first? I'm still seeing that when the LDAP
>> server is down, I can't log onto the client machines at all. Logging
>> in as root works, but logging in as a normal user doesn't. Any
>> suggestions?
>>
>
> Yes, it should...
>
It probably does. The fun starts when it has to check every LDAP group
to see if that person is a member of one of them, and for that it *must*
go to LDAP, regardless of the order in nsswitch.conf.
You can disable that behavior on an account-by-account basis using the
nss_initgroups_ignoreusers in ldap.conf, and there may be other ways.
One alternative may just be to set the LDAP timeout short enough that
the login timeout doesn't kick in before the LDAP one does. There may
be others as well.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
