Speeding local login when LDAP server unavailable

[dave2011]

Hi. First of all Merry Christmas everyone and Happy New Year !

I’m hoping someone could help me to understand the following issues with local linux logins when LDAP authentication is enabled.
I have a general account “student” in fedora 15 to enable users to login locally if a network problem occurs, or if they simply prefer that instead of logging with their own accounts. Some years ago there was a problem with local logins with ID > 100 but I solved this by editing the /etc/pam.d/system-auth file.

Today I was able to shutdown the ldap server for a few hours and here’s what happens now:
If the fedora pc has no network connection (either by a disconnected cable or unreachable DHCP server), the local login “student” is ultra fast both in text mode and graphical. How does it bypass ldap automaticaly?

If the fedora pc has a network connection and the LDAP and nfs server (for home folders) is available, everything is ok. Local login with “student” is also ultra fast.

But if the pc is network connected and the server is unavailable, the local login was taking about 55 seconds in text mode and an eternity in graphical mode. Please note that the login with “root” is immediate, this only happens with other local accounts.
I’ve been editing the /etc/pam.d/system-auth and password-auth (they actually always had the same content) inserting options such as “authinfo_unavail=ignore” but no results, and I to tell the truth, I do not really understand all those options and syntax.

The only thing that speed up the local login was when I’ve edited the /etc/nss_ldap.conf file and set both
“timelimit” and “bind_timelimit” to 1 instead of the default value. This way I can login in text mode in about 13 seconds and graphically in just above 1 minute, which was really great, compared to my previous situation.

My nsswitch.conf file has the following entries:
…
passwd: files ldap
shadow: files ldap
group: files ldap
…

So, why the root login was always so fast, even before I decreased the timelimit and bind_timelimit in nss_ldap.conf, and not the local account “student” ?
Thank you very much.
Merry Christmas !
Regards
Dave

[smr54]

Not sure if it's the same problem that's been around for years with RH, but if so, you might be able to fix it with changing

bind_policy hard (which may be commented out) and change it to bind_policy soft (without a comment sign), in /etc/nss_ldap.conf.

[dave2011]

Quote:

Originally Posted by smr54

Not sure if it's the same problem that's been around for years with RH, but if so, you might be able to fix it with changing

bind_policy hard (which may be commented out) and change it to bind_policy soft (without a comment sign), in /etc/nss_ldap.conf.

Thanks for the reply. bind_policy is set to soft from the beginning.
As I said, the only thing that improved the login time was setting timelimit and bind_timelimit to 1.
It seems to me that if the workstations have network connection, they always try to get to the server first.