[K12OSN] LDAP authentication

Michael Blinn mblinn at peopleplaces.org
Wed Oct 4 13:41:27 UTC 2006 

  I recently ran into some troubles with LDAP authentication that 
brought my server to its knees. While I am sure that a more experienced 
sysadmin could have avoided or sidestepped these problems, my actions 
exacerbated the situation.

  I have 4 NICs in my server. I took it to another subnet and unplugged 
the 'main' links. Upon doing so, slapd complained that it would not bind 
to the new address, or even to the localhost interface. As such, all 
authentication ground to a halt, and I had to do a forced (untidy) 
shutdown. This forced shutdown caused filesystem corruption that my 
knowledge of e2fsck could not rectify (server would lock on 'INIT: 
booting init 2.63' even after e2fsck reported no errors).

  The real stinker came when booting with a rescue CD. Even in this 
process, each command issued in init level 1 (singleuser) would cause an 
authentication to be attempted on the LDAP server, which looked like a 
lockup, as the default is to retry after 4 seconds, then 8, then 16, 
then 32 and finally 64. 124 seconds is a LONG time to wait for each 
command to complete when attempting to rescue a system. I'm sure that I 
could have authconfig'd from the command line, however the long chain of 
fixing filesystem errors while waiting 124 seconds for every command to 
complete just so I could mount a volume and do the authconfig just so I 
could find the ldap database corruption error was one that I realized 
about halfway through that I did not need to put myself through.

  For this reason, I am back to simple shadow authentication with a 
separate samba database of users. The only benefit which I could see to 
using LDAP for Samba and system authentication was that I did not have 
to perform each add/edit/delete operation twice when making user 
changes. I'm sure that others have more compelling reasons to use LDAP 
for system-level authentication however I don't believe that something 
as inherently basic to the operation of the server should be handed to a 
daemon-level tool.

Comments are welcome - I'm hoping to learn something more from this 
exercise, so please correct me where I am in error, and suggest what I 
could have done differently.

-Michael

-- 

If this is my day of harvest, in what fields have I sowed the seed, and 
in what unremembered seasons?
- Kahlil Gibran


CONFIDENTIALITY NOTICE: This message, and any attachments that may 
accompany it, contain information that is intended for the use of the 
individual or entity to which it is addressed and may contain 
information that is privileged, confidential, or otherwise exempt from 
disclosure under applicable law. If the recipient of this message is not 
the intended recipient, any disclosure, copying, or other use of this 
communication or any of the information, which it contains is 
unauthorized and prohibited. If you have received this message in error, 
please notify the original sender by return mail and delete this 
message, along with any attachments, from your computer. Thank you.

More information about the K12OSN mailing list