krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~
Jacky Chan
JackyC at umac.mo
Tue Nov 11 21:04:23 EST 2008
Javier Palacios-2 wrote:
>
>>>> Only if the flag to change password on next login is enabled
>> on AD and is honoured by pam-krb5 the absence of extra admin servers is
>> a problem.
>>
>> What exactly does you mean, pam_krb5 will not allow change password on
>> next
>> login when the admin server is down?
>
> Sorry, I didn't explain well. If the admin server is down, there is no
> way to change
> the password (at least with MIT kerberos).
> The other point is whether pam-krb5 do follow the change on next login
> thing in
> the same manner than a windows workstation does (I have never tested
> that).
> If that is true _and_ the admin server is down, the password cannot be
> changed
> and the login gets refused. Enable debug on pam-krb5, which is not very
> verbose
> but allows to pinpoint some problems.
>
>
Yes, I got your mean. And it is does has this problem.
Javier Palacios-2 wrote:
>
>
>>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>>> server
>> to query. If the configured one is down, only users already cached are
>> known
>> to the system.
>> Actually, I set two ldap server in /etc/ldap.conf;
>
> Last time I look at that, only one was allowed.
>
>
If saying to use, nss_ldap 253, it is allowed to configure more than one
ldap server in uri entry.
uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc
ldap://w2k3dc3.failover.dc
But you need to set bind_policy to soft to trigger intermediate failover
instead of wait for nss_ldap to retry and reconnection until its default
maximmun is reached.
--
View this message in context: http://www.nabble.com/krb5-%2B-nss_ldap-%2B-nscd-%2B-Window-AD-2003-Failover-Concern%7E%7E-tp20435198p20452584.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list