LDAP client: dealing with timeouts

In my homelab, I run an OpenLDAP server and services on the localhost use that to manage access and permissions related to network filesystems (e.g. NFSv4 and samba). I've previously done this by setting up slapd and running pam_ldap and nss_ldap as per FreeBSD docs. However, the boot time of my server had long sufferred due to slapd trying to run itself as user ldap:ldap which nss_ldap was attempting to find, would fail, and timeout after 5 minutes.

Recently I have found out about nss-pam-ldapd which tries to improve upon both nss_ldap and pam_ldap. I've found configuring nss-pam-ldapd to be much more robust in its response and I don't have to worry about timeouts and caches anymore.

As a bonus, the 4 minutes timeout that I used to get when starting one of the jails which depended on ldap on startup is gone too!

nss-pam-ldapd has fantastic documentation, and I followed it carefully to setup my /usr/local/etc/nslcd.conf file, paying special attention to bind_timelimit, timelimit, and reconnect_retrytime (see nslcd.conf(5) manpage).

uid nslcd
gid nslcd

uri ldap://topoli.home.lan/
ldap_version 3
base dc=home,dc=lan
#binddn cn=root,dc=home,dc=lan
#bindpw secret

bind_timelimit 3
timelimit 5
reconnect_retrytime 5

nss_initgroups_ignoreusers ALLLOCAL

Then setting up /etc/pam.d/system like so.

auth      sufficient  pam_opie.so     no_warn no_fake_prompts
auth      requisite   pam_opieaccess.so   no_warn allow_local
auth      sufficient  /usr/local/lib/pam_ldap.so      minimum_uid=10000
auth      required    pam_unix.so     no_warn try_first_pass nullok

account       required    pam_login_access.so
account       sufficient  /usr/local/lib/pam_ldap.so      minimum_uid=10000
account       required    pam_unix.so

session       required    pam_lastlog.so      no_fail

password  required    pam_unix.so     no_warn try_first_pass
password  sufficient  /usr/local/lib/pam_ldap.so      minimum_uid=10000

I have set the minimum uid to 10000 to reflect my slapd config.

To round it all out, here's my /usr/local/etc/slapd.conf.

include       /usr/local/etc/openldap/schema/core.schema
include       /usr/local/etc/openldap/schema/cosine.schema
include       /usr/local/etc/openldap/schema/inetorgperson.schema
include       /usr/local/etc/openldap/schema/nis.schema

pidfile       /var/run/openldap/slapd.pid
argsfile  /var/run/openldap/slapd.args

modulepath    /usr/local/libexec/openldap
moduleload    back_mdb

database  mdb
maxsize       1073741824
suffix        "dc=home,dc=lan"
rootdn        "cn=root,dc=home,dc=lan"
rootpw        secret

directory /var/db/openldap-data

index objectClass eq
index   cn,uid,memberUid,uniqueMember,gidNumber pres,eq

logfile /var/log/slapd.log
loglevel none

Make sure to set your own access directives and mind the root user and password. When setting things up, I recommend starting with no access controls and adding them later.

Also my /usr/local/etc/openldap/ldap.conf.

BASE  dc=home,dc=lan
URI   ldap://topoli.home.lan

To find out what each line means, see slapd.conf(5) and ldap.conf(5).

(C) 2015-2021 Armin Moradi. CC-BY-SA 4.0. Proudly built with Org-mode and Pandoc