[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Server causing panic?



>>>From experience, there is no actual lockout, but the clients are actually
>>>waiting for an answer from the ldap server, which of course doesn't come.
>>>They usually have a timeout configured somewhere, and if this timeout is
>>>long, then your client machines could wait up to one hour for an answer
>>> from the ldap server.  Try setting the timeout in your ldap.conf and
>>> pam_ldap.conf files to something short, like 5 or 10 seconds.  eg:
>>> "timelimit 5"
>>What platform?  Is an nss cache running, such as nscd?  nss calls are
>>blocking, so a 'hang' is normal,  but in a perfect world it should time
>>out (of course, and then potentially crash).
>SuSE Linux Professional 7.3 and 8.0, tested with openLDAP 1.2.13 and 2.0.23.
>Yes, nscd does run, we have the cache cleaned out every 60 seconds for
>passwords and every 1 hour for group info, so it has virtually no effect on
>authentication, which is what I think Caylan wanted to do.

NSS doesn't have to do with authentication.  But if already running
(authenticated) processes are hanging when the ldap server goes down it
is an nss issue not a pam issue.  Looking up user information happens
all the time and is processed by nss not pam.  

Can you "ps ax" when the LDAP server is down?