--On Monday, February 15, 2016 11:26 AM -0500 Wietse Venema
<wie...@porcupine.org> wrote:
But the basic check after getpwnam_r() works only if everything
else in the chain returns an error status instead of "not found".
That may include nsswitch.conf, pam_ldap, pam_sss, sssd, sssd.conf,
and so on. It is very easy for something to lose the distinction
between "error status" and "not found".
For example, with the default nsswitch.conf action of "unavail=continue",
the library will continue with the next source, instead of reporting
the error condition immediately. There may be similar fesatures with sssd.
Zimbra uses LDAP extensively for postfix lookups, and it has always failed
over cleanly for us when LDAP is not available. One wise thing to do is
have more than a single LDAP server configured for lookups, so that if any
specific server is down, well written software (like Postfix) can fail over
without you even having to worry about it. If all your LDAP servers are in
a single DC and susceptible to power outages, it won't help that specific
problem, but if they're spread out where that is not an issue, then it
certainly keeps things flowing smoothly. It also allows for things like
upgrading an LDAP server w/o worrying about the rest of the infrastructure
falling over.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc
