[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd breaks NSS, NSS breaks slapd

Emmanuel Dreyfus wrote:
On Tue, Aug 12, 2008 at 11:17:13AM +0200, Buchan Milne wrote:
Anyway, I will point out that this issue is more or less an FAQ on the
nss_ldap list.

IMO, the problem is in slapd: it starts listening for requests while it is not ready yet for answering requests.

If the listener was not ready when slapd would do its initgroups() call,
then NSS would not contact local slapd, it would fallback to other sources
(/etc/passwd and /etc/group), and everything would be fine.

Hm, I don't think that's true. slap_init_user() which does the initgroups() call occurs before slapd starts listening on its sockets. While it has its sockets bound to their respective ports, clients will get a "connection refused" while the sockets are in this state. It only calls listen() long after the startup initializations are done, and only then can it receive any incoming requests.

What about a new slapd.conf option?
delayed_service	{none|warm|syncrepl}
and slapd would...
... behave as it does now for "none"
... return LDAP_UNAVAILABLE until initialization is completed for "warm"
... return LDAP_UNAVAILABLE until syncrepl catch up with master for "syncrepl"

The later option would fix the stupid situation where your replica starts
and answer outdated stuff until syncrepl catch up.

We've discussed that possibility (delaying queries until syncrepl completes) a few times on -devel in the past. I don't remember now why we didn't do it, check the archives...

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/