On 9/22/09, Daniel O'Connor <[email protected]> wrote: > On Wed, 23 Sep 2009, Erik Norgaard wrote: >> This sounds like the correct solution, AFAIK it's the same concept as >> for NIS, first check local files, then ldap. You don't want your root >> credentials possibly be leaked accross the network. On the other hand >> you don't want or need user accounts in the local files. >> >> Default first check local files which is fast, then fall back on ldap >> if the user is not found. > > Actually I wrote them the wrong way, how odd! > I actually have.. > group: cache ldap files > passwd: cache ldap files > > I think that if it fails ldap, it does so very quickly - it certainly > did this morning when I rebooted uncleanly. > > I believe I did try it as "cache files ldap" but I had some issues, I > can't recall what they were though. I had quite a bit of difficulty > getting it to work acceptably so when it did I left it alone :) > > On a related note, why is slapd so damn fragile? It's a righteous pain > in the bum the way you have to run db_recover-X.Y /var/db/openldap-data > if slapd fails to start.
I run OpenLDAP on a few boxes. I don't recall the power failures or rude shutdowns to ever give me problems... Course, I don't have anything hi-traffic, so I would definately have time for softupdates to flush to disk before a crash is inevitable. I've marked this thread, it's been useful already with the '[unavail=continue notfound=continue]' pieces after the ldap dictionary in nsswitch.conf Now I have another command, db_recover > It wouldn't be so bad if it logged anything, but even with full logging > it gives a very cryptic message and if you have logging disabled (which > is recommended for performance!) it won't say _anything_. To have OpenLDAP logging, you have to insert local4.* statements in syslog.conf, touch the given file, and restart syslog. Any logging that OpenLDAP would need to send, is then recorded in syslog. Why they picked 4, of 1 through 7, I'm not sure. I'd help you with that, if you'd like. > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
