[389-users] Best practice for user / group authentication
Rob Crittenden
rcritten at redhat.com
Fri May 22 19:45:09 UTC 2009
Dumbo Q wrote:
> I want to use centos-ds 8 for centralized authentication. I believe
> this is derived from fedora-ds 1.1.
>
> I want to know what is the best practice for storing posixgroups. In
> the envent that no DS is available, I want all of my system accounts to
> function as normal. If I use LDAP to store posixgroups, then all
> accounts will hang during login if my DS is down. I understand the
> reason is that even a local user must look at ldap to see what other
> groups this user belongs to.
>
> Is this something I should be concerned with? Or will services that are
> already running before loosing access to DS function as normal? I have
> several processes which use ssh to run commands on other machines. I
> imagine that this will fail, or be extremely delayed waiting for ldap to
> timeout.
> Two things that I could think of which could ease this problem a little.
> 1. Can I set nsswitch to give up on ldap after x seconds? Thus
> allowing local users to login without a major delay.
To ensure you can get into the box when things are in a bad state, add
this to /etc/ldap.conf:
nss_initgroups_ignoreusers root
For time limits, see the nss_ldap man page and look for bind_timelimit
and timelimit. The default for these is 30 seconds an 0 (forever). In
freeIPA we use 5 and 15.
> 2. Can nscd 'not' expire records if it cannot contact ldap?
I'm not sure if nscd is necessarily aware that the data comes from LDAP
so I don't think you can really tune it this way.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090522/1d2c2547/attachment.bin>
More information about the Fedora-directory-users
mailing list