Fedora directory users - May 2009 - [389-users] Best practice for user / group authentication

I want to use centos-ds 8 for centralized authentication.  I believe this is
derived from fedora-ds 1.1.

I want to know what is the best practice for storing posixgroups.  In the envent
that no DS is available, I want all of my system accounts to function as
normal.  If I use LDAP to store posixgroups,  then all accounts will hang during
login if my DS is down.  I understand the reason is that even a local user must
look at ldap to see what other groups this user belongs to. 

Is this something I should be concerned with?  Or will services that are already
running before loosing access to DS function as normal?  I have several
processes which use ssh to run commands on other machines.  I imagine that this
will fail, or be extremely delayed waiting for ldap to timeout. 
Two things that I could think of which could ease this problem a little.
1.  Can I set nsswitch to give up on ldap after x seconds?  Thus allowing local
users to login without a major delay.
2. Can nscd ''not'' expire records if it cannot contact ldap?

Dumbo Q wrote:
> I want to use centos-ds 8 for centralized authentication.  I believe 
> this is derived from fedora-ds 1.1.
> 
> I want to know what is the best practice for storing posixgroups.  In 
> the envent that no DS is available, I want all of my system accounts to 
> function as normal.  If I use LDAP to store posixgroups,  then all 
> accounts will hang during login if my DS is down.  I understand the 
> reason is that even a local user must look at ldap to see what other 
> groups this user belongs to. 
> 
> Is this something I should be concerned with?  Or will services that are 
> already running before loosing access to DS function as normal?  I have 
> several processes which use ssh to run commands on other machines.  I 
> imagine that this will fail, or be extremely delayed waiting for ldap to 
> timeout. 
> Two things that I could think of which could ease this problem a little.
> 1.  Can I set nsswitch to give up on ldap after x seconds?  Thus 
> allowing local users to login without a major delay.
To ensure you can get into the box when things are in a bad state, add 
this to /etc/ldap.conf:

nss_initgroups_ignoreusers root

For time limits, see the nss_ldap man page and look for bind_timelimit 
and timelimit. The default for these is 30 seconds an 0 (forever). In 
freeIPA we use 5 and 15.
> 2. Can nscd ''not'' expire records if it cannot contact
ldap?
I''m not sure if nscd is necessarily aware that the data comes from LDAP
so I don''t think you can really tune it this way.

rob