Re: [nssldap] No timeout for nss_ldap?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] No timeout for nss_ldap?
- From: Tony Earnshaw <tonni [at] hetnet.nl>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] No timeout for nss_ldap?
- Date: Thu, 03 Jan 2008 07:55:20 +0100
Thomas Kirchtag skrev, on 02-01-2008 20:05:
Just so I know what awaits me - could you give me examples of which
services will break if I set bind_policy to soft?
Actually, it's setting it to hard which breaks things. That's what I was
trying to repair in the content of my first mispost.
So why should it be set to hard anyway? When soft works for reboots?
Because soft never makes nss_ldap retries on a bind failure. Say that
you have a primary and a failover URI in ldap.conf, as we have on our 2
k12ltsp (Linux Terminal Server Project) servers:
uri ldap://192.168.1.25/ ldap://192.168.0.253/
For some reason 192.168.1.25 can't be contacted, nss_ldap should
failover to 192.168.0.253. But it won't with bind_policy soft. And all
sorts of desktop services make use of nss -> nssldap lookups the whole
time; the whole thing comes to a grinding halt (tail -f
/var/log/messages" on a RHEL5 server).
So one comments out "bind_policy soft" in ldap.conf and gets the default
hard_init and everything works again - BUT there's a new kernel update
and the machine has to be rebooted (this concerns multiple RHEL5
servers) and one forgets the bind_policy line in ldap.conf and the
machines never come up again. So the sysadmin has to go into the server
room, gain console access for each of multiple servers, enter run level
1 and fix and reboot. Then afterward change back /etc/ldap.conf to
"#bind_policy soft". He is not a happy bunny.
One can put most of them into ldap.conf as exceptions:
nss_initgroups_ignoreusers root,ldap,named,tonni
Only dbus can't be put in as an exception, since it "invents" a new,
unique UID for itself on each reboot. So the machine will hang on dbus.
A workaround is to make sure that LDAP is started at run level 1 as one
of the first services. dbus, by default, is started in run level 3 as
S22. This is easy to do on Red Hat-derived systems, I wouldn't know
where to start with, for example, Debian.
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
- Re: [nssldap] No timeout for nss_ldap?, (continued)