[CentOS] LDAPs causing System Message Bus to hang when there's no network

Thu Apr 28 15:12:49 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Thu, 28 Apr 2011, Scott Robbins wrote:

> On Thu, Apr 28, 2011 at 03:52:44PM +0100, John Hodrien wrote:
>> On Thu, 28 Apr 2011, Mattias Geniar wrote:
>>
>>> could be a work-around I can live with, but it doesn't appear there is.
>>
>> I'd hope you'd see these problems almost entirely go away in future with a
>> switch to sssd rather than nss_ldap, as it makes the whole process a lot more
>> stateful and aware of what's going on.
>>
>
> Fear not, Fedora has managed to have that break things for many people
> too.
>
> I see they just closed the bug with a won't fix, though the fix is known
> and available.
>
>
>> Having an rc.local that does an nsswitch.conf twiddle is probably a viciously
>> robust way of dealing with this problem...
>
> Unnecessary too.  :)  See my earlier email.
>
> I might as well give a link to my ldap page, so if anyone else comes
> across this, they can see the issue mentioned withfix.
>
> http://home.roadrunner.com/~computertaijutsu/ldap.html

bind_policy soft isn't a panacea in my experience.  I've had failures that
aren't fixed with this (I've had udev go into a world of its own stopping the
machine booting).

nss_ldap's just a bit sucky by design.  It lacks any caching, and nscd simply
isn't in a position to provide it in a sane manner.  Performance with large
directories and nested groups is terrible unless you completely avoid
enumeration of groups which breaks some tools.

jh