nss_ldap breaks boot

multixrulz · 2005-11-14 20:32:14

There seems to be a serious problem when using nss_ldap. I initially thought I had rooted my system because uDev just hung on for ages and finally died, and I eventually got booted into single-user mode with no idea how to fix the problem.

It turned out that removing nss_ldap solved the problem, reason being that when LDAP is being used to convert filesystem UIDs to real names, it is not available when uDev starts (hey, the network isn't even up yet).

Is this a known problem, and how do I fix it?

multixrulz · 2005-11-14 23:54:05

I still want to use nss_ldap, I just don't want it disabling my system.

Lone_Wolf · 2005-11-15 19:25:59

Is it possible to start nss_ldap AFTER udev ?

Added :
Since nss_ldap uses openldap and openldap is a daemon, it should be possible to start udev before openldap.

JGC · 2005-11-15 21:53:53

There's a bind_timelimit and a bind_policy option in the nss_ldap.conf file. You could try to play with these.

alexmat · 2005-11-15 22:00:03

This has been driving me nuts, I posted a bug report about it a while ago here: http://bugs.archlinux.org/task/3369

The first thing to note is that it only hangs when trying to access ldap group information. So if you disable group ldap stuff it will still work for users. I know this isn't ideal, but the workaround is to re-enable group stuff after the system has booted.

multixrulz · 2005-11-16 21:49:35

alexmat can you point to the udev version when this first broke? Perhaps the solution is not so hard and we can patch our systems until the package is fixed again.

alexmat · 2005-11-17 21:33:33

It's been a while and I honestly don't remember which version of udev broke it (also I'm not positive it's a udev issue, it could be something in the init scripts or something else entirely).

Edit: It is a UDEV issue :?

The way I'm doing things right now is as follows:

1.) add rw to my kernel boot line
2.) in rc.sysinit I added the following before udev startup: cp /etc/nsswitch.file /etc/nsswitch.conf
3.) in rc.sysinit I added the following after udev startup: cp /etc/nsswitch.ldap /etc/nsswitch.conf

The nsswitch.file file is just the default nsswitch config, the ldap one has all my ldap settings. I know this is dirty and it breaks everytime I update initscripts (I just have to readd the two line to rc.sysinit).

But I'm a relative noob at this so if anyone has a better solution let me know.

syamajala · 2005-11-18 23:37:46

thanks for the tip!

alexmat · 2005-12-15 21:04:32

I've updated the bug report with some research I did, maybe getting more eyeballs on this will help:

After a ton of headaches and hours upon hours of googling I think I found the problem. I was using a workaround to rewrite the nsswitch.conf file on every reboot before udev came up, but for some reason the new kernel with initrd wouldn't allow the workstations to mount the root partition rw before udev came up even though I put the rw swtich in menu.lst.
Ok that's all history now because I got sick of finding workarounds for workarounds. I dug into udev and found what causes it to halt. It is indeed trying to resolve with an ldap server thats active, but on the network, and since the network services don't start without udev it becomes a cyclical dependancy.
However, udev worked just fine a few updates ago so what happened? udev.rules assignes devices to groups using numbers... that is until recently, now half the rules are numbers and half are names. I switched all group names to their nuemerical mappings and Viola! everything is smooth again.
I don't know how to resolve this in a clean manner for UDEV and LDAP. Putting in numbers instead of group names is a chore and not all systems may use the same mappings (although I would think most people stick with the default group mappings). However I can't imagine how NSS_LDAP can work with the current UDEV, because the system insists on timing out waiting for a LDAP server it's never going to reach.
I did a man on nsswitch.conf and there were some interesting bits in there about switches like TRYAGAIN and UNAVAIL, however, I could not get any of them to make UDEV skip the LDAP entry in the nsswitch.conf on boot.
There must be a nice way to do this that I am overlooking. Help me Obi Judd Kenobi! You're my only hope ;P

alexmat · 2005-12-15 21:09:39

Doh! How did I miss JGC's post:

There's a bind_timelimit and a bind_policy option in the nss_ldap.conf file. You could try to play with these.

Maybe this will help. I'll try it today time permiting. 8)

syamajala · 2006-01-29 17:19:48

it looks like things work again without need for the tweak. my system uses udev-068-5 and things are working.

cromero · 2006-08-08 21:47:57

The way I'm doing things right now is as follows:
1.) add rw to my kernel boot line
2.) in rc.sysinit I added the following before udev startup: cp /etc/nsswitch.file /etc/nsswitch.conf
3.) in rc.sysinit I added the following after udev startup: cp /etc/nsswitch.ldap /etc/nsswitch.conf

I aded the rw to my kernel boot line in grub but it still doesnt mount it rw so im still stuck w/o a clean boot. Is there anything else i should do for really mounting the filesystem rw ?

JGC · 2006-08-09 07:33:17

Just change the bind_policy from hard to soft and your problem will be gone. With a hard bind_policy, nss_ldap can wait very long until your LDAP server is up again, which never happens because your system isn't booted again.
I've seen this bug on debian too where openldap gets stopped, a useraccount is created for openldap and openldap is started again on upgrade. While openldap is stopped, creation of the useraccount isn't possible with bind_policy set to hard.

cromero · 2006-08-12 01:52:37

I believe that this could lead to some other problems since, aparently, the client machine would stop trying to connect after the first fail.

Since i couldn't mount / rw while booting my box, i decided to copy a nsswitch.conf w/o ldap in rc.shutdown before / is mounted ro, and copy it back in rc.sysinit after / is mouted rw.

I hope some serious nss_ldap official patch comes out some day with better documentation.

lefallen · 2006-11-01 03:47:18

This was still a problem for me recently. I found that using the undocumented LDAP options "nss_reconnect_tries", "nss_reconnect_sleeptime", "nss_reconnect_maxsleeptime" and "nss_reconnect_maxconntries" to work quite well.

I found these out via this post:

http://www.liquidx.net/blog/2006/04/03/ … ect_tries/

damjan · 2006-11-03 02:19:11

Why not set the /etc/nsswitch.conf file to first lookup the local group and passwd files and only then to lookup the ldap... That way udev (and other services) should have all the system users/groups it needs to start/work ?
I think the syntax would be:
passwd: files ldap
group: files ldap

Am I missing something here??

Arch Linux

#1 2005-11-14 20:32:14

nss_ldap breaks boot

#2 2005-11-14 23:54:05

Re: nss_ldap breaks boot

#3 2005-11-15 19:25:59

Re: nss_ldap breaks boot

#4 2005-11-15 21:53:53

Re: nss_ldap breaks boot

#5 2005-11-15 22:00:03

Re: nss_ldap breaks boot

#6 2005-11-16 21:49:35

Re: nss_ldap breaks boot

#7 2005-11-17 21:33:33

Re: nss_ldap breaks boot

#8 2005-11-18 23:37:46

Re: nss_ldap breaks boot

#9 2005-12-15 21:04:32

Re: nss_ldap breaks boot

#10 2005-12-15 21:09:39

Re: nss_ldap breaks boot

#11 2006-01-29 17:19:48

Re: nss_ldap breaks boot

#12 2006-08-08 21:47:57

Re: nss_ldap breaks boot

#13 2006-08-09 07:33:17

Re: nss_ldap breaks boot

#14 2006-08-12 01:52:37

Re: nss_ldap breaks boot

#15 2006-11-01 03:47:18

Re: nss_ldap breaks boot

#16 2006-11-03 02:19:11

Re: nss_ldap breaks boot

Board footer