Dealing with LDAP failure when using it for PAM/NSS?
Posted
by Insyte
on Server Fault
See other posts from Server Fault
or by Insyte
Published on 2010-03-23T20:22:29Z
Indexed on
2010/03/23
20:33 UTC
Read the original article
Hit count: 255
I use a redundant pair of OpenLDAP servers for PAM auth and directory services via NSS. It's been 100% reliable so far, but nothing runs flawlessly forever.
What steps should I take now so I have a fighting chance of recovering from failure of the LDAP server(s)? In my informal testing, it appears that even already authenticated shells are largely useless as all username/uid lookups hang until the directory server comes back.
So far I've come up with only two things:
- Do not use NSS-LDAP and PAM-LDAP on the LDAP servers themselves.
- Create a root-level account on all boxes that only accepts publickey authentication from our local subnet and protect that key well. I'm not sure how much good this would do me as once I'm logged in, I suspect I wouldn't be able to accomplish anything since all the userid lookups would be hanging.
Any other suggestions?
© Server Fault or respective owner