[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] LDAP authentication



I recently ran into some troubles with LDAP authentication that brought my server to its knees. While I am sure that a more experienced sysadmin could have avoided or sidestepped these problems, my actions exacerbated the situation.

I have 4 NICs in my server. I took it to another subnet and unplugged the 'main' links. Upon doing so, slapd complained that it would not bind to the new address, or even to the localhost interface. As such, all authentication ground to a halt, and I had to do a forced (untidy) shutdown. This forced shutdown caused filesystem corruption that my knowledge of e2fsck could not rectify (server would lock on 'INIT: booting init 2.63' even after e2fsck reported no errors).

The real stinker came when booting with a rescue CD. Even in this process, each command issued in init level 1 (singleuser) would cause an authentication to be attempted on the LDAP server, which looked like a lockup, as the default is to retry after 4 seconds, then 8, then 16, then 32 and finally 64. 124 seconds is a LONG time to wait for each command to complete when attempting to rescue a system. I'm sure that I could have authconfig'd from the command line, however the long chain of fixing filesystem errors while waiting 124 seconds for every command to complete just so I could mount a volume and do the authconfig just so I could find the ldap database corruption error was one that I realized about halfway through that I did not need to put myself through.

For this reason, I am back to simple shadow authentication with a separate samba database of users. The only benefit which I could see to using LDAP for Samba and system authentication was that I did not have to perform each add/edit/delete operation twice when making user changes. I'm sure that others have more compelling reasons to use LDAP for system-level authentication however I don't believe that something as inherently basic to the operation of the server should be handed to a daemon-level tool.

Comments are welcome - I'm hoping to learn something more from this exercise, so please correct me where I am in error, and suggest what I could have done differently.

-Michael

--

If this is my day of harvest, in what fields have I sowed the seed, and in what unremembered seasons?
- Kahlil Gibran


CONFIDENTIALITY NOTICE: This message, and any attachments that may accompany it, contain information that is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If the recipient of this message is not the intended recipient, any disclosure, copying, or other use of this communication or any of the information, which it contains is unauthorized and prohibited. If you have received this message in error, please notify the original sender by return mail and delete this message, along with any attachments, from your computer. Thank you.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]