On Wed, 5 Mar 2008, Buchan Milne wrote:
On Tuesday 04 March 2008 12:45:18 Guennadi Liakhovetski wrote:
for "passwd", "group", "shadow". Now I would expect that with sequences ("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally known users wouldn't be authenticated using ldap.
If it were all just about users, then yes. However, users (either local or in LDAP) can be members of groups in LDAP (or, of course local). So, any function that lists the groups a user is a member of will invoke nss_ldap.
Unfortunately, this doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP server. Including calls from udevd, avahi-daemon, and others, which causes them to fail in various ways.
If you just want to prevent this from delaying bootup, the solution here may just be to add:
bind_policy soft
to nss_ldap's ldap.conf (/etc/libnss_ldap.conf on Debian I think).
So far my main problem is not delays in the bootup but failing services. like avahi-daemon, NetworkManager, gpm, etc. Are they failing because SASL is not configured? Can I configure LDAP access grobally to not use it? I've set up TLS, so, SASL shouldn't be needed? Or how do I fix it?
Thanks Guennadi --- Guennadi Liakhovetski