On Thu, 28 Apr 2011, Scott Robbins wrote:
On Thu, Apr 28, 2011 at 03:52:44PM +0100, John Hodrien wrote:
On Thu, 28 Apr 2011, Mattias Geniar wrote:
could be a work-around I can live with, but it doesn't appear there is.
I'd hope you'd see these problems almost entirely go away in future with a switch to sssd rather than nss_ldap, as it makes the whole process a lot more stateful and aware of what's going on.
Fear not, Fedora has managed to have that break things for many people too.
I see they just closed the bug with a won't fix, though the fix is known and available.
Having an rc.local that does an nsswitch.conf twiddle is probably a viciously robust way of dealing with this problem...
Unnecessary too. :) See my earlier email.
I might as well give a link to my ldap page, so if anyone else comes across this, they can see the issue mentioned withfix.
bind_policy soft isn't a panacea in my experience. I've had failures that aren't fixed with this (I've had udev go into a world of its own stopping the machine booting).
nss_ldap's just a bit sucky by design. It lacks any caching, and nscd simply isn't in a position to provide it in a sane manner. Performance with large directories and nested groups is terrible unless you completely avoid enumeration of groups which breaks some tools.
jh