Hi,
I'm having about 30 Linux Servers in which I have one LDAP master server and remaining all of them are ldap clients.All the users who login to Linux servers are LDAP users. Whenever there is a problem with the LDAP service in Master, I have the following issues. 1.ldap user anyway cannot login to any of the server but even as root or local user,we are unable to login to any of the client/master server. 2.If I'm already logged in any of the client server and when there is a problem with the LDAP master service, the server becomes extremely unstable/slow and cannot execute any command and everything hangs.
Could you suggest if I'm missing any setting in LDAP master or slave?as I should not have problem in login to the servers as a local/root user even when LDAP master is down
Thanks in Advance, Rahul
On Tue, Dec 09, 2008 at 12:26:07PM -0000, sparklings wrote:
I'm having about 30 Linux Servers in which I have one LDAP master server and remaining all of them are ldap clients.All the users who login to Linux servers are LDAP users. Whenever there is a problem with the LDAP service in Master, I have the following issues. 1.ldap user anyway cannot login to any of the server but even as root or local user,we are unable to login to any of the client/master server. 2.If I'm already logged in any of the client server and when there is a problem with the LDAP master service, the server becomes extremely unstable/slow and cannot execute any command and everything hangs.
This is more an issue with NSS and PAM than with OpenLDAP.
If you only have one LDAP server then you must expect some problems when it is down. Anything that needs to translate between Unix uids and usernames is likely to fail or hang. Similarly, logins may fail or hang until the LDAP service comes back.
You may be able to make root / local-user logins work by changing the order in which NSS and PAM use the various data-sources. There may be security issues to changing the order, so make sure you understand what you are doing and test it well. The NSS and PAM mailing lists are probably better places to ask about this.
With that many servers depending on LDAP you should certainly be running at least one slave copy so that clients can continue working when the master is down.
Andrew
openldap-technical@openldap.org