Re: Detailed move timeline

On Thu, 2009-12-10 at 16:04 -0500, Owen Taylor wrote:
>  * To make sure that we can get edit DNS as soon as possible,
>    verify that can be logged into by sysadmins:
>    - Without LDAP running
>    - With /home/users unmounted
>    This may require reconfiguring the NSS configuration.

To test, I added the temporarily added rule:

 -A RH-Firewall-1-INPUT -s -m tcp -p tcp --dport 389 -j REJECT

to /etc/sysconfig/iptables on and restarted the iptables
service, and then unmounted /home/users on menubar.

I was initially unable to SSH in to menubar, but by adding:

 nss_initgroups_ignoreusers root,otaylor

To /etc/ldap.conf on menubar, I was then successfully able to ssh in. The
downside of the above is my LDAP groups aren't propagated to menubar, but
not a big problem for now. The other obvious downside is that only I'm listed

I tried experimenting some with other ldap.conf options to see if I
could get it to transparently fall back without having to do the above,
but didn't have any immediate luck. Probably just takes more research
and reading of the nss_ldap man page.

- Owen

[ Also addded the nss_initgroups_ignoreusers on,
  since that's the other server that is really depended on throughout
  the cluster ]

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]