On Wed, 2008-08-27 at 18:19 -0400, Stephen Harris wrote:
> On Wed, Aug 27, 2008 at 05:07:26PM -0400, Mark Hennessy wrote:
> > With networking, no trouble at all, but with those timeouts of 30
> > seconds and without those changes to nsswitch.conf, it takes a while
> > for the first root login to succeed even though it is using local auth.
>
> If you have ldap groups and the ldap server isn't reachable then logins
> _can_ take a long time (depending on why the ldap server isn't reachable;
> if a "telnet ldapserver ldap" returns immediately then it shouldn't) because
> a login has to go through _every_ group to determine if you're in the
> group or not.
>
> It doesn't do a "getent group blah" it does the equivalent of
> while (getgrent())
> {
> }
> which means it tries to parse the whole local _and_ ldap group entries.
>
> It needs to do this to get your secondary group list.
>
> Even root would need to do this.
----
that's why I suggested the changes to /etc/ldap.conf to time limit and
to tell it not to bother with certain users
Craig