Comment 8 for bug 253937

Revision history for this message
Steve Langasek (vorlon) wrote :

Nothing looks amiss in the PAM or NSS configs. From the description, this is not a PAM problem at all, but an nss_ldap one: it's not the authentication which fails, but the resolution of users and groups afterwards.

I believe the relevant section of /etc/ldap/ldap.conf is this:

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

Note that, per nss_ldap(5), the default time limit on connections to the LDAP server (the bind_timelimit) is 30 seconds. That's a 30 second timeout for *each* process that needs to look up a username or group name. If you are concerned about usability when the LDAP server is unavailable, you probably want to lower this timeout or run a cache such as nscd. (The libnss-ldap package Recommends: nscd).