On Tuesday 12 August 2008 12:01:16 Emmanuel Dreyfus wrote:
On Tue, Aug 12, 2008 at 11:17:13AM +0200, Buchan Milne wrote:
Anyway, I will point out that this issue is more or less an FAQ on the nss_ldap list.
IMO, the problem is in slapd: it starts listening for requests while it is not ready yet for answering requests.
If the listener was not ready when slapd would do its initgroups() call, then NSS would not contact local slapd, it would fallback to other sources (/etc/passwd and /etc/group), and everything would be fine.
Only for your case, where it is nss_ldap is preventing slapd from starting, not the case where haldaemon (or similar, but haldaemon is the most common suspect on RedHat-based systems).
What about a new slapd.conf option? delayed_service {none|warm|syncrepl}
Add another option, database
and slapd would... ... behave as it does now for "none" ... return LDAP_UNAVAILABLE until initialization is completed for "warm" ... return LDAP_UNAVAILABLE until syncrepl catch up with master for "syncrepl"
return LDAP_UNAVAILABLE until all databases are recovered and started.
The later option would fix the stupid situation where your replica starts and answer outdated stuff until syncrepl catch up.
Yes, this would be useful to me. But, I don't see a need for this to solve the chicken/egg slapd vs nss_ldap issue (because this is a sub-set of the whole problem).
Regards, Buchan