[K12OSN] Tweak to make failover work with ldap.conf and Active Directory

[Burroughs, Henry]

If you have multiple Active Directory (AD) servers using Services for
Unix, failover won't really work if the PDC is offline.  The reason is
the nss_ldap libraries use REFERALS ON and even if you specify the
secondary ldap server in the config file, it will keep trying to connect
to the primary ldap server (which might be offline).  Add the line:
 
Referrals no
 
-----------------
For example, this is my ldap.conf file:
 
host columbia liberty
referrals  no
timelimit 5
bind_timelimit 5
bind_policy soft
base dc=hhp,dc=hhprep,dc=org
binddn ####
bindpw ####
scope sub
ssl no
pam_filter objectClass=User
nss_base_passwd dc=hhp,dc=hhprep,dc=org?sub
nss_base_shadow dc=hhp,dc=hhprep,dc=org?sub
nss_base_group dc=hhp,dc=hhprep,dc=org?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_member_attribute member
 
 
Apparently if you tweak the 2 timelimits, you can reduce the delay
between choosing servers.
 
Hope this helps!
 
 
Henry Burroughs
Technology Director
Hilton Head Preparatory School
www.hhprep.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20061117/891161fb/attachment.htm>