[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd breaks NSS, NSS breaks slapd

To: openldap-software@openldap.org
Subject: Re: slapd breaks NSS, NSS breaks slapd
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 12 Aug 2008 11:17:13 +0200
Content-disposition: inline
In-reply-to: <200808120938.21687.rhafer@suse.de>
References: <1ilj1yu.hxs6isx9t89yM%manu@netbsd.org> <200808120938.21687.rhafer@suse.de>
User-agent: KMail/1.10.0 (Linux/2.6.26.1-desktop-1mnb; KDE/4.1.0; x86_64; ; )

On Tuesday 12 August 2008 09:38:21 Ralf Haferkamp wrote:
> On Montag, 11. August 2008, Emmanuel Dreyfus wrote:
> > Howard Chu <hyc@symas.com> wrote:
> > > Get a gdb backtrace of the hang.
> > >
> > > Show us your nsswitch.conf...
> >
> > Here is nsswitch.conf:
> > group:          files ldap
> > group_compat:   nis
> > hosts:          files dns
> > netgroup:       files [notfound=return] nis
> > networks:       files
> > passwd:         files ldap
> > passwd_compat:  nis
> > shells:         files
> >
> > user slapd and group ldap are resloved locally:
> > in /etc/passwd
> > slapd:*:402:497:openldap-server slapd user:/nonexistent:/sbin/nologin
> >
> > in /etc/group
> > ldap:*:497:
> >
> > $ id slapd
> > uid=402(slapd) gid=497(ldap) groups=497(ldap)

Maybe, but unlike a user account, the groups a user is a member of is not 
singular, and a user may be a member of groups that are defined in different 
nss plugins. It is impossible to determine this without doing the lookup ...

> > Here is the backtrace (the bottom is not very helpful, but
> > fortunately there is only one occurence of initgroups in slapd
> > sources)

I guess the man page for initgroups really needs to be updated to be more 
clear ...

> As it seems to hang in the initgroups call, does it help to add:
> nss_initgroups_ignoreusers root,slapd
> to your nss_ldap configuration?

If you go down this path, you will end up adding a very long list of users to 
this list. IMHO it is the wrong approach (other problems aren't addressed), 
and not scalable.

Let's rather consider the example with an nss_ldap client that can't connect 
to any of it's configured LDAP servers (due to firewall which is dropping all 
LDAP traffic). No local accounts, besides those listed in 
nss_inigroups_ignoreusers would be able to log in, so LDAP groups would be 
useless.

However, either setting:
bind_policy soft
or setting the nss_reconnect_{sleeptime,maxsleeptime,maxconntries} options 
would in my opinion be the correct fix (not only addressing the "haldaemon 
doesn't start at boot","ldap doesn't start when it's not running" issues).

Anyway, I will point out that this issue is more or less an FAQ on the 
nss_ldap list.

Regards,
Buchan

Follow-Ups:
- Re: slapd breaks NSS, NSS breaks slapd
  - From: Emmanuel Dreyfus <manu@netbsd.org>

References:
- Re: slapd breaks NSS, NSS breaks slapd
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: slapd breaks NSS, NSS breaks slapd
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: Re: slapd breaks NSS, NSS breaks slapd
Next by Date: Re: Multi Master doesn't replicate everything
Index(es):
- Chronological
- Thread