[389-users] Best practice for user / group authentication

[Dumbo Q]

I want to use centos-ds 8 for centralized authentication.  I believe this is derived from fedora-ds 1.1.

I want to know what is the best practice for storing posixgroups.  In the envent that no DS is available, I want all of my system accounts to function as normal.  If I use LDAP to store posixgroups,  then all accounts will hang during login if my DS is down.  I understand the reason is that even a local user must look at ldap to see what other groups this user belongs to.  

Is this something I should be concerned with?  Or will services that are already running before loosing access to DS function as normal?  I have several processes which use ssh to run commands on other machines.  I imagine that this will fail, or be extremely delayed waiting for ldap to timeout.  
Two things that I could think of which could ease this problem a little.
1.  Can I set nsswitch to give up on ldap after x seconds?  Thus allowing local users to login without a major delay.
2. Can nscd 'not' expire records if it cannot contact ldap?





      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090522/6e94ee4c/attachment.htm>