[K12OSN] LDAP authentication
Michael Blinn
mblinn at peopleplaces.org
Wed Oct 4 13:41:27 UTC 2006
I recently ran into some troubles with LDAP authentication that
brought my server to its knees. While I am sure that a more experienced
sysadmin could have avoided or sidestepped these problems, my actions
exacerbated the situation.
I have 4 NICs in my server. I took it to another subnet and unplugged
the 'main' links. Upon doing so, slapd complained that it would not bind
to the new address, or even to the localhost interface. As such, all
authentication ground to a halt, and I had to do a forced (untidy)
shutdown. This forced shutdown caused filesystem corruption that my
knowledge of e2fsck could not rectify (server would lock on 'INIT:
booting init 2.63' even after e2fsck reported no errors).
The real stinker came when booting with a rescue CD. Even in this
process, each command issued in init level 1 (singleuser) would cause an
authentication to be attempted on the LDAP server, which looked like a
lockup, as the default is to retry after 4 seconds, then 8, then 16,
then 32 and finally 64. 124 seconds is a LONG time to wait for each
command to complete when attempting to rescue a system. I'm sure that I
could have authconfig'd from the command line, however the long chain of
fixing filesystem errors while waiting 124 seconds for every command to
complete just so I could mount a volume and do the authconfig just so I
could find the ldap database corruption error was one that I realized
about halfway through that I did not need to put myself through.
For this reason, I am back to simple shadow authentication with a
separate samba database of users. The only benefit which I could see to
using LDAP for Samba and system authentication was that I did not have
to perform each add/edit/delete operation twice when making user
changes. I'm sure that others have more compelling reasons to use LDAP
for system-level authentication however I don't believe that something
as inherently basic to the operation of the server should be handed to a
daemon-level tool.
Comments are welcome - I'm hoping to learn something more from this
exercise, so please correct me where I am in error, and suggest what I
could have done differently.
-Michael
--
If this is my day of harvest, in what fields have I sowed the seed, and
in what unremembered seasons?
- Kahlil Gibran
CONFIDENTIALITY NOTICE: This message, and any attachments that may
accompany it, contain information that is intended for the use of the
individual or entity to which it is addressed and may contain
information that is privileged, confidential, or otherwise exempt from
disclosure under applicable law. If the recipient of this message is not
the intended recipient, any disclosure, copying, or other use of this
communication or any of the information, which it contains is
unauthorized and prohibited. If you have received this message in error,
please notify the original sender by return mail and delete this
message, along with any attachments, from your computer. Thank you.
More information about the K12OSN
mailing list