Daniel Bond wrote:

|> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
|> /usr/local/etc/ldap.conf -> openldap/ldap.conf
|
| I'm not sure is it correct.
| etc/ldap.conf and etc/openldap/ldap.conf -- different files for
| different purposes.
| etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.
|
The ldap.conf file is only used for nss_ldap and pam_ldap, so I don't
suppose it really matters where the config-file resides.
etc/ldap.conf can be used by sudo, for example.
etc/openldap/ldap.conf -- library config.

You are absolutely correct, when I change *bind_policy* to *hard*, the
problem goes away, nss_ldap stops whining about contacting server in
/var/log/auth.log. SSH with pubkey-exchange or password authentication
also works with bind_policy hard.
Ok. Next.
I'm sorry, but this solution little dangerous.
When your ldap server unreachable, nss_ldap trying to connect again and again and doesn't switched to next method, described in /etc/nsswitch.conf.
For example, if your computer must get IP over dhcpd, OS need uid for 
dhclient and ask it from nss_ldap, but nss_ldap can't connect to ldap 
server, because computer doesn't have IP address.
When you are using bind_policy hard, you also need tune bind_timelimit 
and idle_timelimit in ldap.conf and use "files [Status=Action] ldap" in 
/etc/nsswitch.conf, where Status and Action must be choosen.
Allthough it would be nice to have "bind_policy soft" working properly
Yes. It's realy fine option, but I don't sure about source of problem 
(OS version or nss_ldap) and doesn't know, how to debug this issue.
WBR.
Dmitriy
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to