[389-users] Best practice for user / group authentication
Dumbo Q
dumboq at yahoo.com
Fri May 22 19:38:05 UTC 2009
I want to use centos-ds 8 for centralized authentication. I believe this is derived from fedora-ds 1.1.
I want to know what is the best practice for storing posixgroups. In the envent that no DS is available, I want all of my system accounts to function as normal. If I use LDAP to store posixgroups, then all accounts will hang during login if my DS is down. I understand the reason is that even a local user must look at ldap to see what other groups this user belongs to.
Is this something I should be concerned with? Or will services that are already running before loosing access to DS function as normal? I have several processes which use ssh to run commands on other machines. I imagine that this will fail, or be extremely delayed waiting for ldap to timeout.
Two things that I could think of which could ease this problem a little.
1. Can I set nsswitch to give up on ldap after x seconds? Thus allowing local users to login without a major delay.
2. Can nscd 'not' expire records if it cannot contact ldap?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090522/6e94ee4c/attachment.htm>
More information about the Fedora-directory-users
mailing list