On Tue, Aug 12, 2008 at 11:17:13AM +0200, Buchan Milne wrote:
Anyway, I will point out that this issue is more or less an FAQ on the nss_ldap list.
IMO, the problem is in slapd: it starts listening for requests while it is not ready yet for answering requests.
If the listener was not ready when slapd would do its initgroups() call, then NSS would not contact local slapd, it would fallback to other sources (/etc/passwd and /etc/group), and everything would be fine.
What about a new slapd.conf option? delayed_service {none|warm|syncrepl} and slapd would... ... behave as it does now for "none" ... return LDAP_UNAVAILABLE until initialization is completed for "warm" ... return LDAP_UNAVAILABLE until syncrepl catch up with master for "syncrepl"
The later option would fix the stupid situation where your replica starts and answer outdated stuff until syncrepl catch up.