Dealing with LDAP failure when using it for PAM/NSS?

Posted by Insyte on Server Fault See other posts from Server Fault or by Insyte
Published on 2010-03-23T20:22:29Z Indexed on 2010/03/23 20:33 UTC
Read the original article Hit count: 226

Filed under:

nss

|

ldap

|

pam

I use a redundant pair of OpenLDAP servers for PAM auth and directory services via NSS. It's been 100% reliable so far, but nothing runs flawlessly forever.

What steps should I take now so I have a fighting chance of recovering from failure of the LDAP server(s)? In my informal testing, it appears that even already authenticated shells are largely useless as all username/uid lookups hang until the directory server comes back.

So far I've come up with only two things:

Do not use NSS-LDAP and PAM-LDAP on the LDAP servers themselves.
Create a root-level account on all boxes that only accepts publickey authentication from our local subnet and protect that key well. I'm not sure how much good this would do me as once I'm logged in, I suspect I wouldn't be able to accomplish anything since all the userid lookups would be hanging.

Any other suggestions?

© Server Fault or respective owner

Related posts about nss

Command line mode only -- successful login only brings me back to login screen

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
whenever I log in the screen goes black, I see a glimpse of terminal-esque text, and then it brings me back to the log in screen (Ubuntu 12.04). I can enter and log in via the command line. The guest account works find. I think this happened because I edited some Xorg related file trying to make… >>> More
SSLsample in NSS

as seen on Stack Overflow - Search for 'Stack Overflow'
Since the latest version of NSS does not provide the SSLSample program, I copied the folder SSLSample from the older version of NSS (3.9, 3.12) to the /security/nss/cmd folder inside nss-3.12.4 . When I run make nss_build_all in my 3.12.4, the other programs generated its own binary but not my SSLSample… >>> More
How to export ECC key and Cert from NSS DB and import into JKS keystore and Oracle Wallet

as seen on Oracle Blogs - Search for 'Oracle Blogs'
How to export ECC key and Cert from NSS DB and import into JKS keystore and Oracle Wallet In this blog I will write about how to extract a cert and key from NSS Db and import it to a JKS Keystore and then import that JKS Keystore into Oracle Wallet. 1. Set Java Home I pointed… >>> More
Django, LDAP & 'NSS Certificate DB' unable to login

as seen on Server Fault - Search for 'Server Fault'
I am trying to connect to a remote ldap server. After the authenticate(), the terminal asks me about a pin, password of pass phrase for security token 'NSS Certificate DB'. What is this? The LDAP server OS is CentOS. Django + django-auth-ldap In [1]: from django_auth_ldap.backend import LDAPBackend In… >>> More
How to replace nss with new version 11.10 64bit

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I need a specific version of NSS 3.12.4. I have a simple java crypto (Sun-pkcs11) test and it works with the default nss setup from Ubuntu 11. (pointing to /usr/lib/x86_64-linux-gnu where all the libnss*.so files live) But when I point specifically to the custom 3.12.4 lib folder, it doesn't work… >>> More

Related posts about ldap

NetApp FAS 2040 LDAP Win2k8R2

as seen on Server Fault - Search for 'Server Fault'
I am trying to get my FAS2040 to action user lookups using LDAP, below is the filer configuration options: filer> options ldap ldap.ADdomain dc1.colour.domain.local ldap.base OU=Users,OU=something1,OU=something2,OU=darkside,DC=colour,DC=domain,DC=local ldap.base… >>> More
Ubuntu 12.04 Preseed LDAP Config

as seen on Server Fault - Search for 'Server Fault'
I'm trying to deploy Ubuntu 12.04 via xCAT, everything works except the automatic configuration of LDAP, the preseed file is read but the file /etc/nsswitch is not written properly. My Preseed File: [...] ### LDAP Setup nslcd nslcd/ldap-bindpw password ldap-auth-config ldap-auth-config/bindpw password ldap-auth-config… >>> More
NetApp FAS 2040 LDAP Win2k8R2

as seen on Server Fault - Search for 'Server Fault'
I am trying to get my FAS2040 to action user lookups using LDAP, below is the filer configuration options: filer> options ldap ldap.ADdomain dc1.colour.domain.local ldap.base OU=Users,OU=something1,OU=something2,OU=darkside,DC=colour,DC=domain,DC=local ldap.base… >>> More
Apache+LDAP auth on Ubuntu says "Can't contact LDAP server" while ldapsearch is perfect

as seen on Server Fault - Search for 'Server Fault'
Hi Gurus, I'm migrating from an existing apache+LDAP+mysql+php server to a new hardware platform. Old server is running Debian Lenny, which I have no config documentation available (was done by previous sysadmin); New server is running Ubuntu 10.04.2 LTS 32bit. After installing Apache and configured… >>> More
Spring security ldap: no declaration can be found for element 'ldap-authentication-provider'

as seen on Stack Overflow - Search for 'Stack Overflow'
Following the spring-security documentation: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ldap.html I am trying to set up ldap authentication (very simple - just need to know if a user is authenticated or not, no authorities mapping needed) and have put this in my applicationContext-security… >>> More