[Freeipa-devel] [PATCH] Better nss_ldap default configuration

Simo Sorce ssorce at redhat.com
Wed Apr 2 02:04:28 UTC 2008

On Tue, 2008-04-01 at 21:44 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > Better timeout defaults, and also configuration that prevents looking up 
> > root (and dirsrv) on ldap so that root logins can never timeout.
> > 
> > Simo.
>  From my meager understanding of nss_ldap this looks ok, just a few 
> related questions:
> 1. Are you also going to update documentation on other operating systems 
> to do something similar?

Each OS has specific options, but I've seen most of them are in better
shape as they use a daemon to handle ldap communication (at least AIX
and HP-UX) didn't show the kind of problems I am working around with
this configuration fine tuning.

> 2. What if people, for reasons good or bad, actually want the root 
> password to be stored in LDAP?

They are free to change configuration options and pay the
consequences :)

> 3. If DS fails to start will the machine be able to boot at all?

Boot is not a problem, and the changes I made also are useful to avoid
long timeouts in nss_ldap. I am still thinking we should probably use
nscd, for the simple reason it does negative caching and will therefore
further reduce timeouts in the case none of the servers respond.


Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list