On Thu, 28 Apr 2011, Scott Robbins wrote: > On Thu, Apr 28, 2011 at 03:52:44PM +0100, John Hodrien wrote: >> On Thu, 28 Apr 2011, Mattias Geniar wrote: >> >>> could be a work-around I can live with, but it doesn't appear there is. >> >> I'd hope you'd see these problems almost entirely go away in future with a >> switch to sssd rather than nss_ldap, as it makes the whole process a lot more >> stateful and aware of what's going on. >> > > Fear not, Fedora has managed to have that break things for many people > too. > > I see they just closed the bug with a won't fix, though the fix is known > and available. > > >> Having an rc.local that does an nsswitch.conf twiddle is probably a viciously >> robust way of dealing with this problem... > > Unnecessary too. :) See my earlier email. > > I might as well give a link to my ldap page, so if anyone else comes > across this, they can see the issue mentioned withfix. > > http://home.roadrunner.com/~computertaijutsu/ldap.html bind_policy soft isn't a panacea in my experience. I've had failures that aren't fixed with this (I've had udev go into a world of its own stopping the machine booting). nss_ldap's just a bit sucky by design. It lacks any caching, and nscd simply isn't in a position to provide it in a sane manner. Performance with large directories and nested groups is terrible unless you completely avoid enumeration of groups which breaks some tools. jh