--disable-nslcd, nssov, and local user lookups

[Ryan Steele <ryans [at] aweber.com>]

Hey folks,

Recently I've been looking into replacing nslcd with the nssov overlay in 
OpenLDAP.  However, I have yet to figure out how to duplicate the 
nss_initgroups_ignoreusers functionality.  I've come to view that feature as a 
critical piece of the architecture, as it prevents NSS lookups for local users. 
 This is critical in keeping services running smoothly on the system running 
if/when the local slapd has problems or the network/upstream LDAP server 
becomes unavailable prior to/during a query.  We keep system/daemon users out 
of LDAP for this very reason.

Without it, daemonized services can grind to a halt as wait times skyrocket 
(during unnecessary LDAP lookups for the local users) during the aforementioned 
types of outages, due to the fact that lookups get stuck in a blocking wait 
state and/or eventually time out trying to get an answer from LDAP.  Sure, 
setting some low timeouts can help, but not having that option at our disposal 
inevitably results in unnecessary wait times when such outages occur.

I'd be interested to hear what others do to solve this problem.

Cheers,
Ryan
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/