How to get PAM LDAP local logins to work when networking is down

Tags: , , ,

I recently ran into an issue where my servers using LDAP logins became inaccessible on the console during a network outage. It turns out this was because the LDAP client was trying to reconnect to the server indefinitely which caused the login process to time out, locking me out of the machine. The fix was to set a few nss_reconnect_* entries in /etc/ldap.conf, which apparently are undocumented.

Here are the relevant lines of my /etc/ldap.conf:

timelimit 120
bind_timelimit 120
idle_timelimit 3600
# Added to permit console login during network outages.
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 1
nss_reconnect_maxconntries 1

I was able to find some pretty terse documentation in the source which at least explains that these variables adjust the parameters of ldap connection retries. In the above configuration all servers are tried 2 times with a 1 second sleep between trys.

nss_reconnect_tries 5	      # no. of times to double the sleep time
nss_reconnect_sleeptime 4     # initial sleep value
nss_reconnect_maxsleeptime 64 # max sleep value to cap at
nss_reconnect_maxconntries 2  # how many tries before sleeping
# This leads to a delay of 124 seconds (4+8+16+32+64=124)
# per lookup if the server is not available.