[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to login as local user when LDAP master has problem

On Tue, Dec 09, 2008 at 12:26:07PM -0000, sparklings wrote:

> I'm having about 30 Linux Servers in which I have one LDAP master server and remaining all of them are ldap clients.All the users who login to Linux servers are LDAP users.
> Whenever there is a problem with the LDAP service in Master, I have the following issues.
> 1.ldap user anyway cannot login to any of the server but even as root or local user,we are unable to login to any of the client/master server.
> 2.If I'm already logged in any of the client server and when there is a problem with the LDAP master service, the server becomes extremely unstable/slow and cannot execute any command and everything hangs.

This is more an issue with NSS and PAM than with OpenLDAP.

If you only have one LDAP server then you must expect some problems
when it is down. Anything that needs to translate between Unix uids
and usernames is likely to fail or hang. Similarly, logins may fail
or hang until the LDAP service comes back.

You may be able to make root / local-user logins work by changing
the order in which NSS and PAM use the various data-sources. There
may be security issues to changing the order, so make sure you
understand what you are doing and test it well. The NSS and PAM
mailing lists are probably better places to ask about this.

With that many servers depending on LDAP you should certainly be
running at least one slave copy so that clients can continue
working when the master is down.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |