Re: Problem setting up OpenLDAP for user authentication

[Guennadi Liakhovetski <g.liakhovetski@gmx.de>]

On Wed, 5 Mar 2008, Buchan Milne wrote:

> On Tuesday 04 March 2008 12:45:18 Guennadi Liakhovetski wrote:
> >
> > for "passwd", "group", "shadow". Now I would expect that with sequences
> > ("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally
> > known users wouldn't be authenticated using ldap.
> 
> If it were all just about users, then yes. However, users (either local or in 
> LDAP) can be members of groups in LDAP (or, of course local). So, any 
> function that lists the groups a user is a member of will invoke nss_ldap.
> 
> > Unfortunately, this 
> > doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP
> > server. Including calls from udevd, avahi-daemon, and others, which causes
> > them to fail in various ways.
> 
> If you just want to prevent this from delaying bootup, the solution here may 
> just be to add:
> 
> bind_policy soft
> 
> to nss_ldap's ldap.conf (/etc/libnss_ldap.conf on Debian I think).

So far my main problem is not delays in the bootup but failing services. 
like avahi-daemon, NetworkManager, gpm, etc. Are they failing because SASL 
is not configured? Can I configure LDAP access grobally to not use it? 
I've set up TLS, so, SASL shouldn't be needed? Or how do I fix it?

Thanks
Guennadi
---
Guennadi Liakhovetski