>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:
>> *console* of a machine. That machine only has pam_ldap
>> configured for SSH. The only relevant thing in the
>> configuration for login is pam_unix. The login took 30 seconds
>> while LDAP timed out.
Luke> These timelimits are configurable in ldap.conf, but
Luke> different LDAP client libraries honour these to different
Luke> degrees.
True. However, I should have re-cited something I wrote further back
in the thread:
Martin> The reason I want to do this is that I don't want pam_ldap
Martin> to be used at all when my locally defined users are
Martin> logging in. I see this as a sensible policy that promotes
Martin> reliabily. For example, I will always be able to login as
Martin> root, without delay, even if my network is down, pam_ldap
Martin> is broken or, worse still, if there's a bug in libdap*
Martin> that causes a SIGSEGV. I don't want to run code that is
Martin> irrelevant to my locally defined users, particularly root.
I suspect that no matter what the timeouts are set to, a serious bug
in libldap* will mean that they won't be honoured at all... :-(
Hmmm, I suppose login probably crashes very quickly... :-)
In a previous reply to Sam I commented that we're getting close to a
solution. Given pam_unix's reliance on NSS (and therefore, in my
case, on LDAP) for (building the group list for) locally defined
users, I no longer think this is true. pam_unix is too general to be
useful for being able to reliably login as my locally defined users,
particularly root.
If I implement a local_only option on pam_unix might it be accepted
into pam_unix? Please? Andrew?
peace & happiness,
martin
