bind policy in 251-5.2 breaks the whole system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnss-ldap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The default policy is to bind hard. That means that if the LDAP server is down or unreachable, all nss lockups will stall.
This is especialy critical during startup when the network is not up yet. The startup script tries to work arround this problem by setting the bind policy on shutdown to soft, and resetting it on startup to hard by touching/removing a special file.
This obviosly fails if for whatever reason that file is not accessible or not present during boot. The only way to recover a system then, is to reboot from a recover CD and manually create that file.
I believe that this is completly user unfriendly and not acceptable. The default should be be to bind soft and only go into had bind when entering multi user level.
Here is a complete description of this problem (I noticed this entry as I was filing a bug report for the same problem, so am just going to paste it here instead):
The default installation of libnss-ldap is called by the udev and other subsystems to resolve group names (i.e. udev rules with "GROUP=") before the network is configured so libnss-ldap hangs on boot.
This problem is discussed in the following debian posts: http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 375215, http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 375077, and http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 391167.
According to the above threads, the 'solution' devised to fix this problem is to place a file that will override the default libnss-ldap connection policy from hard to soft at the beginning of the rcS.... boot sequence. The edgy installation does include this via the rcS.d/S03libnss -ldap script -- the only problem is when this script attempts to create the lib/init/ rw/libnss- ldap.bind_ policy_ soft file it fails because the file system is read only at that point in the boot sequence.
Another problem I noted with the edgy distribution is that the lib/init/rw/ directory is not created by the install script and must be created manually.
This whole issue could be avoided if all of the nsswitch data came from local files so libnss-ldap never gets called. I was able to avoid the udev problem by adding a missing 'nvram' group that is referenced in the udev rules but not created when edgy was installed (I did install and upgrade Edgy so a fresh install may work).
Even with the additional group added the rcS.d/S49consol e-setup script still hangs unless I manually change the connection policy in libnss-ldap.conf to 'soft'. I was not able to trace the reason for this problem. I will try again ;ater and update this thread if I have any luck.
For now I am keeping the 'soft' policy, this should not be a problem since I am only using this on a small test network.