Re: Problem setting up OpenLDAP for user authentication

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday 05 March 2008 19:54:03 Guennadi Liakhovetski wrote:
> On Wed, 5 Mar 2008, Buchan Milne wrote:
> > On Tuesday 04 March 2008 12:45:18 Guennadi Liakhovetski wrote:
> > > for "passwd", "group", "shadow". Now I would expect that with sequences
> > > ("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally
> > > known users wouldn't be authenticated using ldap.
> >
> > If it were all just about users, then yes. However, users (either local
> > or in LDAP) can be members of groups in LDAP (or, of course local). So,
> > any function that lists the groups a user is a member of will invoke
> > nss_ldap.
> >
> > > Unfortunately, this
> > > doesn't seem to be the case. Now _all_ nss / pam requests go to the
> > > LDAP server. Including calls from udevd, avahi-daemon, and others,
> > > which causes them to fail in various ways.
> >
> > If you just want to prevent this from delaying bootup, the solution here
> > may just be to add:
> >
> > bind_policy soft
> >
> > to nss_ldap's ldap.conf (/etc/libnss_ldap.conf on Debian I think).
>
> So far my main problem is not delays in the bootup but failing services.
> like avahi-daemon, NetworkManager, gpm, etc.

I've never seen this, although my laptop has no real local user accounts 
(system accounts are local, but my user is not), and runs its only ldap 
server locally (which starts after all the usual problematic services such as 
udev, haldaemon etc.).

Are you running nscd ? Does nscd start before LDAP is accessible?

Do you have an error message that occurs in this case?

> Are they failing because SASL 
> is not configured?

This has nothing to do with SASL.

Regards,
Buchan