--On Thursday, April 28, 2011 10:53:52 AM -0400 Scott Robbins <scottro at nyc.rr.com> wrote: > On Thu, Apr 28, 2011 at 04:21:58PM +0200, Mattias Geniar wrote: >> I've tracked this down to the following known bug in Redhat, but >> it dates back to early 2010. >> https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46 > > Yes, the bug is actually older than that *sigh* Yes, I've been tripping up on this one, on and off, since 2006 in FC5. AFAIK, nobody ever looked into my strace comment of <https://bugzilla.redhat.com/show_bug.cgi?id=182464#c10>, although <https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46> (four years later) seems related. Probably moot now anyway as nobody is interested in fixing it since sssd will cure all ills and bring world peace. (Insert sarcasm/skepticism as appropriate.) Be aware that "bind_policy soft" may have some undesirable consequences, depending on your environment. For example, if you have a mail server that does user lookup based on ldap and your ldap server goes away (before or after the mail server boots), then while your ldap server is offline you can get mail bouncing permanently with "no such user" rather than temporarily with "system not available" -type messages. Mitigation strategies that I've done in the past include: 1. never using 'bind_policy soft' 2. having at least one replica LDAP server (which is a good idea anyway) 3. putting LDAP on a machines which themselves are not LDAP clients, thus ensuring that although clients may get blocked on boot that the LDAP server itself does not In recent CentOS 5 versions, I've had much better luck avoiding (3) as long as, using system-config-authentication, one enables "Local authorization is sufficient for local users" under the Options tab. And for the record, despite this particularly annoying bug, I'm still a strong advocate of using LDAP for user and group provisioning. Devin