[Freeipa-devel] [PATCH] Better nss_ldap default configuration
Simo Sorce
ssorce at redhat.com
Wed Apr 2 02:04:28 UTC 2008
On Tue, 2008-04-01 at 21:44 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > Better timeout defaults, and also configuration that prevents looking up
> > root (and dirsrv) on ldap so that root logins can never timeout.
> >
> > Simo.
>
> From my meager understanding of nss_ldap this looks ok, just a few
> related questions:
>
> 1. Are you also going to update documentation on other operating systems
> to do something similar?
Each OS has specific options, but I've seen most of them are in better
shape as they use a daemon to handle ldap communication (at least AIX
and HP-UX) didn't show the kind of problems I am working around with
this configuration fine tuning.
> 2. What if people, for reasons good or bad, actually want the root
> password to be stored in LDAP?
They are free to change configuration options and pay the
consequences :)
> 3. If DS fails to start will the machine be able to boot at all?
Boot is not a problem, and the changes I made also are useful to avoid
long timeouts in nss_ldap. I am still thinking we should probably use
nscd, for the simple reason it does negative caching and will therefore
further reduce timeouts in the case none of the servers respond.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list