Ubuntu
libnss-ldap package

bind policy in 251-5.2 breaks the whole system

Bug #67404 reported by Andreas Schultz
14
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The default policy is to bind hard. That means that if the LDAP server is down or unreachable, all nss lockups will stall.

This is especialy critical during startup when the network is not up yet. The startup script tries to work arround this problem by setting the bind policy on shutdown to soft, and resetting it on startup to hard by touching/removing a special file.

This obviosly fails if for whatever reason that file is not accessible or not present during boot. The only way to recover a system then, is to reboot from a recover CD and manually create that file.

I believe that this is completly user unfriendly and not acceptable. The default should be be to bind soft and only go into had bind when entering multi user level.

Revision history for this message
Shawn Church (sl-church) wrote :

Here is a complete description of this problem (I noticed this entry as I was filing a bug report for the same problem, so am just going to paste it here instead):

The default installation of libnss-ldap is called by the udev and other subsystems to resolve group names (i.e. udev rules with "GROUP=") before the network is configured so libnss-ldap hangs on boot.

This problem is discussed in the following debian posts: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375215, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375077, and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391167.

According to the above threads, the 'solution' devised to fix this problem is to place a file that will override the default libnss-ldap connection policy from hard to soft at the beginning of the rcS.... boot sequence. The edgy installation does include this via the rcS.d/S03libnss-ldap script -- the only problem is when this script attempts to create the lib/init/rw/libnss-ldap.bind_policy_soft file it fails because the file system is read only at that point in the boot sequence.

Another problem I noted with the edgy distribution is that the lib/init/rw/ directory is not created by the install script and must be created manually.

This whole issue could be avoided if all of the nsswitch data came from local files so libnss-ldap never gets called. I was able to avoid the udev problem by adding a missing 'nvram' group that is referenced in the udev rules but not created when edgy was installed (I did install and upgrade Edgy so a fresh install may work).

Even with the additional group added the rcS.d/S49console-setup script still hangs unless I manually change the connection policy in libnss-ldap.conf to 'soft'. I was not able to trace the reason for this problem. I will try again ;ater and update this thread if I have any luck.

For now I am keeping the 'soft' policy, this should not be a problem since I am only using this on a small test network.

Revision history for this message
Jerome Haltom (wasabi) wrote : Re: [Bug 67404] Re: bind policy in 251-5.2 breaks the whole system

A better solution would be for libnss-ldap to be disabled completely
until such a point as network access is available.

Or you know, it should disable itself. No network, no LDAP, no timeout.

On Sun, 2006-10-29 at 11:44 +0000, Shawn Church wrote:
> Here is a complete description of this problem (I noticed this entry as
> I was filing a bug report for the same problem, so am just going to
> paste it here instead):
>
> The default installation of libnss-ldap is called by the udev and other
> subsystems to resolve group names (i.e. udev rules with "GROUP=") before
> the network is configured so libnss-ldap hangs on boot.
>
> This problem is discussed in the following debian posts:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375215,
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375077, and
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391167.
>
> According to the above threads, the 'solution' devised to fix this
> problem is to place a file that will override the default libnss-ldap
> connection policy from hard to soft at the beginning of the rcS.... boot
> sequence. The edgy installation does include this via the rcS.d
> /S03libnss-ldap script -- the only problem is when this script attempts
> to create the lib/init/rw/libnss-ldap.bind_policy_soft file it fails
> because the file system is read only at that point in the boot sequence.
>
> Another problem I noted with the edgy distribution is that the
> lib/init/rw/ directory is not created by the install script and must be
> created manually.
>
> This whole issue could be avoided if all of the nsswitch data came from
> local files so libnss-ldap never gets called. I was able to avoid the
> udev problem by adding a missing 'nvram' group that is referenced in
> the udev rules but not created when edgy was installed (I did install
> and upgrade Edgy so a fresh install may work).
>
> Even with the additional group added the rcS.d/S49console-setup script
> still hangs unless I manually change the connection policy in libnss-
> ldap.conf to 'soft'. I was not able to trace the reason for this
> problem. I will try again ;ater and update this thread if I have any
> luck.
>
> For now I am keeping the 'soft' policy, this should not be a problem
> since I am only using this on a small test network.
>

Revision history for this message
Oliver Grawert (ogra) wrote :

fixed in feisty:

libnss-ldap (251-6) unstable; urgency=low

  * Acknowledge NMUs (Closes: #377895, #390241, #390957)
  * Resolve timing issues,
    Closes: #375077, #375215, #390926, #391053, #391167, #394152, #391829

Changed in libnss-ldap:
status: Unconfirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.