On Tuesday 12 August 2008 09:38:21 Ralf Haferkamp wrote:
On Montag, 11. August 2008, Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
Get a gdb backtrace of the hang.
Show us your nsswitch.conf...
Here is nsswitch.conf: group: files ldap group_compat: nis hosts: files dns netgroup: files [notfound=return] nis networks: files passwd: files ldap passwd_compat: nis shells: files
user slapd and group ldap are resloved locally: in /etc/passwd slapd:*:402:497:openldap-server slapd user:/nonexistent:/sbin/nologin
in /etc/group ldap:*:497:
$ id slapd uid=402(slapd) gid=497(ldap) groups=497(ldap)
Maybe, but unlike a user account, the groups a user is a member of is not singular, and a user may be a member of groups that are defined in different nss plugins. It is impossible to determine this without doing the lookup ...
Here is the backtrace (the bottom is not very helpful, but fortunately there is only one occurence of initgroups in slapd sources)
I guess the man page for initgroups really needs to be updated to be more clear ...
As it seems to hang in the initgroups call, does it help to add: nss_initgroups_ignoreusers root,slapd to your nss_ldap configuration?
If you go down this path, you will end up adding a very long list of users to this list. IMHO it is the wrong approach (other problems aren't addressed), and not scalable.
Let's rather consider the example with an nss_ldap client that can't connect to any of it's configured LDAP servers (due to firewall which is dropping all LDAP traffic). No local accounts, besides those listed in nss_inigroups_ignoreusers would be able to log in, so LDAP groups would be useless.
However, either setting: bind_policy soft or setting the nss_reconnect_{sleeptime,maxsleeptime,maxconntries} options would in my opinion be the correct fix (not only addressing the "haldaemon doesn't start at boot","ldap doesn't start when it's not running" issues).
Anyway, I will point out that this issue is more or less an FAQ on the nss_ldap list.
Regards, Buchan