[nssldap] Re: disconnected nss_ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] Re: disconnected nss_ldap
- From: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
- To: nssldap [at] padl.com
- Subject: [nssldap] Re: disconnected nss_ldap
- Date: Sat, 24 Oct 2009 02:17:32 -0400
On Sat, 2009-10-24 at 01:38 -0400, Brian J. Murrell wrote:
>
> But as soon as the LDAP server is available again, ssh to the node works
> just fine.
I fixed this. This is because of pam_unix's account mode. It wants to
verify the shadow entry when the passwd entry contains a "x" for the
password -- hence my previous thread about fixing this in nss_ldap.
Adding broken_shadow to pam_unix's entry in the account mode works
around it.
> Indeed. My experiments were that even with unlimited, the passwd entry
> for the current, logged in user disappeared. I was going to demonstrate
> on my Ubuntu Karmic laptop but I can't seem to reproduce this here.
I spoke too soon/didn't wait long enough.
Witness my laptop, where I am logged in (as brian), have nscd running
with:
reload-count unlimited
positive-time-to-live passwd 60
$ id brian
id: brian: No such user
I also have a user "keith" in my LDAP directory mapped into the NSS
passwd map which I was testing with before when I thought it was
working. All this to say that "keith" should definitely be in nscd's
persistent cache as I was executing "id keith" repeatedly, watching for
it to disappear, and now, like the "brian" entry, it has:
$ id keith
id: keith: No such user
So for whatever reason, NSCD is expiring entries from it's persistent
cache despite the "reload-count unlimited". ~sigh~
b.
- Re: [nssldap] Re: Re: disconnected nss_ldap, (continued)