[CentOS] LDAPs causing System Message Bus to hang when there's no network

Thu Apr 28 15:22:52 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Thu, 28 Apr 2011, Mattias Geniar wrote:

> I read quite a few topics on that solving the issue, but it didn't seem
> to be that case in my environment.
> Are there other workarounds/tips if the bind_policy doesn't work? The
> rc.local  hack seems ... ugly ... and embarrassing if a client would
> ever find it out. :-)

Automatic generation of the nss_initrgroups_ignoreusers line on boot?  A
creative patch to nss_ldap?

Current versions of sssd look really promising to me (I tested against a
candidate for RHEL 6.1), and offer workable performance compared to a heavily
hacked nss_ldap against a large LDAP tree (much better than an unmodified
nss_ldap).

I also seemed to recall that bind_policy soft potentially opened you up to
security issues.  An allow all, deny denied-people would let someone in if
ldap timed out.  Variations on that would presumably leak if you throw nscd
into the mix.

Newer versions of nss_ldap support nss_initgroups_minimum_uid 500, so
presumably that has a good chance of solving your problem.

jh