Re: [nssldap] boot failure (using local files) if ldap unavailable

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Buchan Milne <bgmilne [at] mandriva.org>
To: Jack Bates <ms419 [at] freezone.co.uk>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] boot failure (using local files) if ldap unavailable
Date: Wed, 19 Sep 2007 09:26:04 +0200

On Wednesday 19 September 2007 03:39:15 Jack Bates wrote:
> We have at least two systems running libnss-ldap, one Debian lenny and
> one Ubuntu feisty. Both exhibit this same problem.
>
> Both systems boot fine without libnss-ldap. My goal is for each system
> to continue working with libnss-ldap: local passwd and group files
> should override values from our LDAP directory. However I would like
> users without local accounts to be able to login with their LDAP
> account.
>
> To this end, I changed the passwd and group lines in nsswitch.conf
> (see entire file attached):
>
> passwd:         compat ldap
> group:          compat ldap

I note that you may prefer to use "files ldap" instead of "compat ldap", 
depending on your requirements. Please see the nsswitch.conf man page to see 
the implication of compat.

> This works great when our LDAP server is available, but if it's not, I
> still want users with local accounts to be able to login. Instead, if I
> boot the system and our LDAP server is unavailable, no logins are
> possible. Not even root is able to login. In this case, I need to reboot
> the system in single user mode and remove ldap from nsswitch.conf before
> anyone can login.

This is most likely due to the configuration of nss_ldap, not the 
configuration of nss. So, the contents of your /etc/libnss_ldap.conf would be 
more interesting.

I note that recent versions of nss_ldap (248 or newer) will keep retrying 
queries against the ldap server if it us unavailable. While it seems that 
this should not affect local users, the only way that nss can look up all the 
groups a user is a member of is by checking all nss sources. There are two 
ways to work around this:

1)Disable group lookups from ldap for specific users, via the 
nss_initgroups_ignoreusers option (in /etc/libnss_ldap.conf)
2)Configure nss_ldap to not retry when it can't connect to the LDAP server, by 
setting bind_policy to soft (in /etc/libnss_ldap.conf).

Fedora has used the first option (and added a lot of "system" users to this 
list by default), but I don't agree that it is a good solution (as if you use 
real local users you would have to keep updating this all the time). On 
Mandriva, we have patched nss_ldap to have bind_policy default to "soft", as 
this is the behaviour in versions of nss_ldap prior to 248, and also usually 
the behaviour users want (to be able to log in with a local account if the 
ldap server is unavailable for whatever reason, e.g. router down, firewall 
rules bust, ldap server is on the same machine and not yet started etc. 
etc.).

If neither of these options help, you need to provide more detail on what 
exactly the behaviour is when the LDAP server is unavailable. For example, 
does 'id root' return? Does 'getent passwd root' return? Does 'groups root' 
return?

Regards,
Buchan

[nssldap] boot failure (using local files) if ldap unavailable, Jack Bates
- Re: [nssldap] boot failure (using local files) if ldap unavailable, Buchan Milne

Prev by Date: [nssldap] boot failure (using local files) if ldap unavailable
Next by Date: [nssldap] nss ldap truncates users after turning on indexing in slapd.conf
Previous by thread: [nssldap] boot failure (using local files) if ldap unavailable
Next by thread: [nssldap] nss ldap truncates users after turning on indexing in slapd.conf