Hi,
I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
Richi Plana wrote:
Hi,
I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
Probably some /etc/nsswitch.conf logic will do the trick e.g. passwd: ldap [NOTFOUND=return] files shadow: ldap [NOTFOUND=return] ffiles group: ldap [NOTFOUND=return] ffiles
And use /usr/sbin/useradd to add a local (i.e. non-ldap) dbususer.
Hi, All.
On Wed, 2006-07-26 at 00:03 -0600, Richi Plana wrote:
I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
So I've implemented one fix. For some reason, even with /etc/nsswitch.conf configured as follows, FC5 systems still go to LDAP even if a user exists locally (dbus user exists in /etc/passwd):
/etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ...
So the solution I applied was to edit /etc/ldap.conf and added the entry "bind_policy hard". This is supposed to make nss_ldap exit after failing a connection attempt (instead of the default infinite retries).
My problem now is that none of my DS users can log on to the newly-started machine. I thought that's what the "Cache User Information" option in system-config-authentication -> Account Information does, but it apparently doesn't. Is there a way to cache LDAP Authentication and Account information so that offline machines will allow logons from LDAP users? Kind of like how WinXP does?
Hi, All.
Any suggestions/leads?:
On Thu, 2006-07-27 at 10:25 -0600, Richi Plana wrote:
Hi, All.
On Wed, 2006-07-26 at 00:03 -0600, Richi Plana wrote:
I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
So I've implemented one fix. For some reason, even with /etc/nsswitch.conf configured as follows, FC5 systems still go to LDAP even if a user exists locally (dbus user exists in /etc/passwd):
/etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ...
So the solution I applied was to edit /etc/ldap.conf and added the entry "bind_policy hard". This is supposed to make nss_ldap exit after failing a connection attempt (instead of the default infinite retries).
My problem now is that none of my DS users can log on to the newly-started machine. I thought that's what the "Cache User Information" option in system-config-authentication -> Account Information does, but it apparently doesn't. Is there a way to cache LDAP Authentication and Account information so that offline machines will allow logons from LDAP users? Kind of like how WinXP does?
Hi Richi,
By any chance, have you checked out pam_ccreds?
James
On Tue, 1 Aug 2006, Richi Plana wrote:
Hi, All.
Any suggestions/leads?:
On Thu, 2006-07-27 at 10:25 -0600, Richi Plana wrote:
Hi, All.
On Wed, 2006-07-26 at 00:03 -0600, Richi Plana wrote:
I recently set up fedora-ds and managed to configure several FC5 machines to authenticate and get user information from the LDAP server. Unfortunately, the laptop isn't always connected to the network so when it boots up, the process hangs when it tries to start the "message bus". I figure the process blocks when it tries to change UID to that of the dbus user. When the machine isn't connected to the network (ie. no cable and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
So I've implemented one fix. For some reason, even with /etc/nsswitch.conf configured as follows, FC5 systems still go to LDAP even if a user exists locally (dbus user exists in /etc/passwd):
/etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ...
So the solution I applied was to edit /etc/ldap.conf and added the entry "bind_policy hard". This is supposed to make nss_ldap exit after failing a connection attempt (instead of the default infinite retries).
My problem now is that none of my DS users can log on to the newly-started machine. I thought that's what the "Cache User Information" option in system-config-authentication -> Account Information does, but it apparently doesn't. Is there a way to cache LDAP Authentication and Account information so that offline machines will allow logons from LDAP users? Kind of like how WinXP does?
On Tue, 2006-08-01 at 19:20 -0400, James Chamberlain wrote:
Hi Richi,
By any chance, have you checked out pam_ccreds?
Thanks. That did it. With your lead, I found this site: http://www.flyn.org/laptopldap/laptopldap.html ... that has exactly what people need to configure machines for intermittent connectivity. pam_ccreds happens to be installed in a default FC5 installation. Hopefully the config will make its way into system-config-authentication soon. --
Richi
389-users@lists.fedoraproject.org