CentOS - Apr 2011 - LDAPs causing System Message Bus to hang when there's no network

Hi Everyone,

I'm experiencing the following problem, for which I've not yet found a
resolution. It's been discussed elsewhere, but unfortunately nothing
actually solves it.

Here's my /etc/ldap.conf file:
#################
ldap_version 3
base ou=people,o=xxx
uri ldaps://server1.domain.be/ ldaps://server2.domain.be/
bind_policy soft
scope sub
timelimit 3
bind_timelimit 5
idle_timelimit 120
referrals no
ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
#################

And the relevant nsswitch:
#################
passwd: files ldap
shadow: files ldap
group: files ldap
#################

So that's pretty straight forward. My LDAP systems are running fine, and
I can authenticate to them.

However, the problem: when the client boots *without network
connectivity*, the server gets stuck/hangs at "Start System Message
Bus". I've tracked this down to the following known bug in Redhat, but
it dates back to early 2010.
https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46

The solution works: if I comment out the "group" from nsswitch to only
load from "files" and not from "ldap", it works and the
system boots.
However, since most systems (and that includes ours) uses groups for
management, that's not a viable option.

We're running the very latest 5.6 with all packages (only from the
CentOS repo's) up-to-date.

Has anyone else ever solved this to still be able to keep the group ldap
entry in nsswitch.conf without having a server hang on boot if there's
no network?

Regards,
Mattias

On Thu, 28 Apr 2011 16:21:58 +0200
"Mattias Geniar" <mattias at nucleus.be> wrote:
> Here's my /etc/ldap.conf file:
Did you include nss_initgroups_ignoreuser in your /etc/ldap.conf?

nss_initgroups_ignoreusers root,ldap 

Brgds

On Thu, Apr 28, 2011 at 04:21:58PM +0200, Mattias Geniar
wrote:
> Hi Everyone,
> 
> 
> So that's pretty straight forward. My LDAP systems are running fine,
and
> I can authenticate to them.
> 
> However, the problem: when the client boots *without network
> connectivity*, the server gets stuck/hangs at "Start System Message
> Bus". I've tracked this down to the following known bug in Redhat,
but
> it dates back to early 2010.
> https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46
Yes, the bug is actually older than that---Don't know if it's only RH
based systems (as so many things seem to work everywhere but RH and
their offshoots) or ldap.
You should be able to fix it by changing /etc/ldap.conf.  There is a
default commented line in there

#bind_policy hard

Uncomment it, change it to soft.  (On the client.)  Note this is
/etc/ldap.conf--in Fedora, if that's the client, I believe it's now
/etc/pam_ldap.conf or possibly /etc/nss_ldap.conf.  

I can't find the earlier bug at first glance, but it's FAR older than
2010, and they never bothered to fix it. 

> Has anyone else ever solved this to still be able to keep the group ldap
> entry in nsswitch.conf without having a server hang on boot if there's
> no network?
See above.  Darn, I wish I could find that older bug, so that I could go
to the newer one you mention and point out that they've been unable to
fix it for far longer than a year.  :)  (I might do it anyway)  

Grouchily yours,  (Not at you, at RH for being unable to get such a
basic thing to work--actually, at one point, Fedora changed bind_policy
to soft so that it would work, but now they're back to the broken way.)


-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Principal Snyder: It's fuzzy-minded liberal thinking like that 
that gets you eaten.