Last weekend the computer on which my LDAP server runs crashed, and it became impossible to login on any other Linux system in the network, even with a local (root) account.
My network contains two physically different LDAP servers, and when I bring down the ldap-software on one server, the rest of the computers in the network immediately start using the other ldap-server, because TCP/IP (on the first server) denies the connection made to the LDAP-port.
However, when I turn off the first LDAP server's computer, TCP/IP is no longer able to deny an attempt to make a connection to the LDAP port, and I suspect the pam_ldap module (on a random client PC) to start waiting for ages before it eventually moves to the second server (it does move, but really, it takes very long, and I suspect these delays to accumulate).
Does anybody know if what I suspect is right, does the pam_ldap module wait very long when a connection-attempt is not immediately denied? And, if so, does anybody know a remedy?
Many thanks in advance!
Maarten Buiter
PS: this is my /etc/pam.d/system-auth, my pam.conf follows:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
And this is my /etc/ldap.conf
# Our two LDAP-Servers, now located on beer and duvel host ldap1.ourdomain.com ldap2.ourdomain.com
# The (base) distinguished name of the search tree base dc=ourdomain,dc=com
# rootbinddn # the name of the person who is allowed to modify # the LDAP-database, for example change other people's # passwords # It's corresponding password is given in /etc/ldap.secret rootbinddn cn=justaname,dc=ourdomain,dc=com
# Where do we search scope sub
# The hashing algorythm libc uses to encrypt passwords # Normally this defaults to MD5 hashing pam_password crypt
# The used ID attribute in the database the authentication # module looks for. pam_login_attribute name:
# Use TLS security ssl start_tls
_______________________________________________ Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
