 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Mon, 29 Aug 2005 16:33:24 -0400 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Troy,
That was part of it. Local users do not cause a connection to the LDAP server.
The group line in nsswitch.conf always makes a connection to the LDAP server. It could be a local user,
or a remote user.
If I remove ldap from the group line, local users do not cause a LDAP connection.
Why does group work that way? (a rhetorical question)
I've tried it on an older system (RedHat 8) and it does the same thing.
I'll look at the nss group code next.
Bill
On Monday 29 August 2005 3:14 pm, Troy Dawson wrote:
> Hi Bill,
>
> The line
>
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore authinfo_unavail=ignore]
> /lib/security/$ISA/pam_ldap.so
>
> is the line that is bitting you.
>
> How do you fix it?
> Get rid of it.
> Won't that remove your authentication?
> No, because this is in your account section, you've already passed the
> authentication section.
>
> Troy
>
> Bill Feero wrote:
> > I'm using openLDAP on SL 4. I used authconfig to use LDAP, which modified nsswitch.conf and pam.d/system-auth.
> > I can also login via the local console port.
> >
> > Everything works if the network is up.
> >
> > If the network is down (I simulate this by removing the network cable), When I try to login via the console port as a user
> > defined locally, after 60 seconds I get a 'Login timed out' message.
> >
> > I tried adding a -t 120 to the mgetty line in /etc/inittab, but I still get a 60 second timeout.
> >
> > I modified the timeouts in /etc/ldap.conf from 30 to 10 seconds, but no luck.
> >
> > nsswitch.conf lines that include ldap are all like this: files ldap
> >
> > I know what is happening - I'm trying to contact the LDAP server, and the network is timing out.
> >
> > How do I lengthen the login timeout, or get LDAP or the network to timeout within the 60 seconds?
> >
> >
> > Thanks for any help or ideas.
> >
> >
> > ------------------ snippet ldap.conf
> > # Search timelimit
> > #timelimit 30
> > timelimit 10
> >
> > # Bind timelimit
> > #bind_timelimit 30
> > bind_timelimit 10
> > ------------------------
> >
> >
> > -------------------- pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/$ISA/pam_env.so
> > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> > auth required /lib/security/$ISA/pam_deny.so
> >
> > account required /lib/security/$ISA/pam_unix.so broken_shadow
> > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> > account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
> > account required /lib/security/$ISA/pam_permit.so
> >
> > password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> > password required /lib/security/$ISA/pam_deny.so
> >
> > session required /lib/security/$ISA/pam_limits.so
> > session required /lib/security/$ISA/pam_unix.so
> > session optional /lib/security/$ISA/pam_ldap.so
> > ~
> >
>
>
--
Bill Feero
Logical Solutions, Inc.
|
|
|
