Subject: | |
From: | |
Reply To: | |
Date: | Wed, 31 Aug 2005 18:11:14 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Troy (and everyone else)
What I've found out is the group line in /etc/nsswitch.conf (group: files ldap)
will always try to connect to the ldap server.
It also sends a DNS request for it's own hostname. That is where the long timeout happens.
If I add the hostname to /etc/hosts, then local users can login even if the network is down.
I don't know why it's doing the DNS request - does anyone have any ideas?
At least now I can have local users login when the network is down.
Bill
On Monday 29 August 2005 3:14 pm, Troy Dawson wrote:
> Hi Bill,
>
> The line
>
> account [default=bad success=ok user_unknown=ignore
> service_err=ignore system_err=ignore authinfo_unavail=ignore]
> /lib/security/$ISA/pam_ldap.so
>
> is the line that is bitting you.
>
> How do you fix it?
> Get rid of it.
> Won't that remove your authentication?
> No, because this is in your account section, you've already passed the
> authentication section.
>
> Troy
>
> Bill Feero wrote:
> > I'm using openLDAP on SL 4. I used authconfig to use LDAP, which modified nsswitch.conf and pam.d/system-auth.
> > I can also login via the local console port.
> >
> > Everything works if the network is up.
> >
> > If the network is down (I simulate this by removing the network cable), When I try to login via the console port as a user
> > defined locally, after 60 seconds I get a 'Login timed out' message.
> >
> > I tried adding a -t 120 to the mgetty line in /etc/inittab, but I still get a 60 second timeout.
> >
> > I modified the timeouts in /etc/ldap.conf from 30 to 10 seconds, but no luck.
> >
> > nsswitch.conf lines that include ldap are all like this: files ldap
> >
> > I know what is happening - I'm trying to contact the LDAP server, and the network is timing out.
> >
> > How do I lengthen the login timeout, or get LDAP or the network to timeout within the 60 seconds?
> >
> >
> > Thanks for any help or ideas.
> >
> >
> > ------------------ snippet ldap.conf
> > # Search timelimit
> > #timelimit 30
> > timelimit 10
> >
> > # Bind timelimit
> > #bind_timelimit 30
> > bind_timelimit 10
> > ------------------------
> >
> >
> > -------------------- pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/$ISA/pam_env.so
> > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> > auth required /lib/security/$ISA/pam_deny.so
> >
> > account required /lib/security/$ISA/pam_unix.so broken_shadow
> > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> > account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
> > account required /lib/security/$ISA/pam_permit.so
> >
> > password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> > password required /lib/security/$ISA/pam_deny.so
> >
> > session required /lib/security/$ISA/pam_limits.so
> > session required /lib/security/$ISA/pam_unix.so
> > session optional /lib/security/$ISA/pam_ldap.so
> > ~
> >
>
>
--
Bill Feero
Logical Solutions, Inc.
|
|
|