Speeding local login when LDAP server unavailable
Hi. First of all Merry Christmas everyone and Happy New Year !
I’m hoping someone could help me to understand the following issues with local linux logins when LDAP authentication is enabled.
I have a general account “student” in fedora 15 to enable users to login locally if a network problem occurs, or if they simply prefer that instead of logging with their own accounts. Some years ago there was a problem with local logins with ID > 100 but I solved this by editing the /etc/pam.d/system-auth file.
Today I was able to shutdown the ldap server for a few hours and here’s what happens now:
If the fedora pc has no network connection (either by a disconnected cable or unreachable DHCP server), the local login “student” is ultra fast both in text mode and graphical. How does it bypass ldap automaticaly?
If the fedora pc has a network connection and the LDAP and nfs server (for home folders) is available, everything is ok. Local login with “student” is also ultra fast.
But if the pc is network connected and the server is unavailable, the local login was taking about 55 seconds in text mode and an eternity in graphical mode. Please note that the login with “root” is immediate, this only happens with other local accounts.
I’ve been editing the /etc/pam.d/system-auth and password-auth (they actually always had the same content) inserting options such as “authinfo_unavail=ignore” but no results, and I to tell the truth, I do not really understand all those options and syntax.
The only thing that speed up the local login was when I’ve edited the /etc/nss_ldap.conf file and set both
“timelimit” and “bind_timelimit” to 1 instead of the default value. This way I can login in text mode in about 13 seconds and graphically in just above 1 minute, which was really great, compared to my previous situation.
My nsswitch.conf file has the following entries:
passwd: files ldap
shadow: files ldap
group: files ldap
So, why the root login was always so fast, even before I decreased the timelimit and bind_timelimit in nss_ldap.conf, and not the local account “student” ?
Thank you very much.
Merry Christmas !