Dumbo Q wrote:
I want to use centos-ds 8 for centralized authentication. I believe
this is derived from fedora-ds 1.1.
I want to know what is the best practice for storing posixgroups. In
the envent that no DS is available, I want all of my system accounts to
function as normal. If I use LDAP to store posixgroups, then all
accounts will hang during login if my DS is down. I understand the
reason is that even a local user must look at ldap to see what other
groups this user belongs to.
Is this something I should be concerned with? Or will services that are
already running before loosing access to DS function as normal? I have
several processes which use ssh to run commands on other machines. I
imagine that this will fail, or be extremely delayed waiting for ldap to
timeout.
Two things that I could think of which could ease this problem a little.
1. Can I set nsswitch to give up on ldap after x seconds? Thus
allowing local users to login without a major delay.
To ensure you can get into the box when things are in a bad state, add
this to /etc/ldap.conf:
nss_initgroups_ignoreusers root
For time limits, see the nss_ldap man page and look for bind_timelimit
and timelimit. The default for these is 30 seconds an 0 (forever). In
freeIPA we use 5 and 15.
2. Can nscd 'not' expire records if it cannot contact ldap?
I'm not sure if nscd is necessarily aware that the data comes from LDAP
so I don't think you can really tune it this way.
rob