I use the following to prevent hanging at startup with LDAP.
nss_initgroups_ignoreusers root,ldap,bacula,named timelimit 30 bind_timelimit 30 bind_policy soft
This is because some daemons start prior to the start of OpenLDAP service.
Obviously adding haldaemon, dbus, radvd, tomcat, etc. or other 'users' for daemons that launch prior to your LDAP server application is
useful
but those users would have to be listed in /etc/passwd|group to significantly benefit.
Craig
Hi Craig,
The problem I have with listing those ignoreusers, is you need to know in advance which services are on the system, and that's not always the case. Or if a user installs a new daemon, he'll break his start-up of the server should he ever be unable to connect to the LDAP systems.
Perhaps I'm asking too much, but could anyone try the following config (in a VM or so, with networking disabled)? This is the one that is causing boots to hang indefinitely, even though there are "bind_policy soft" parameters involved.
/etc/ldap.conf ======================================= ldap_version 3 base ou=people,o=company uri ldaps://srv.domain.be/ ldaps://srv2.domain.be/ scope sub timelimit 5 bind_timelimit 5 bind_policy soft idle_timelimit 15 timeout 5
# If the LDAP server is unavailable during boot, don't retry too often # or the system will hang on the System Message Bus service bind_timeout 2 #nss_reconnect_tries 2 #nss_reconnect_sleeptime 1 #nss_reconnect_maxsleeptime 3 #nss_reconnect_maxconntries 2
referrals no
ssl start_tls ssl on tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts
pam_filter objectclass=posixAccount pam_login_attribute uid pam_min_uid 5000 pam_max_uid 6000 #pam_groupdn cn= company -shared,ou=groups,o=company pam_groupdn cn= company -managed,ou=groups,o=company pam_member_attribute memberUid pam_password md5
nss_base_passwd ou=people,o= company nss_base_shadow ou=people,o= company nss_base_group ou=groups,o= company
#debug 255 #logdir /tmp/ =======================================
Or if anyone else can spot an obvious "Dude, why the f#!? did you put in those lines"-error, please inform me. :-)
Thanks everyone for your interest and comments!
Kind regards, Mattias