[CentOS] LDAPs causing System Message Bus to hang when there's no network
John Hodrien
J.H.Hodrien at leeds.ac.uk
Thu Apr 28 15:22:52 UTC 2011
On Thu, 28 Apr 2011, Mattias Geniar wrote:
> I read quite a few topics on that solving the issue, but it didn't seem
> to be that case in my environment.
> Are there other workarounds/tips if the bind_policy doesn't work? The
> rc.local hack seems ... ugly ... and embarrassing if a client would
> ever find it out. :-)
Automatic generation of the nss_initrgroups_ignoreusers line on boot? A
creative patch to nss_ldap?
Current versions of sssd look really promising to me (I tested against a
candidate for RHEL 6.1), and offer workable performance compared to a heavily
hacked nss_ldap against a large LDAP tree (much better than an unmodified
nss_ldap).
I also seemed to recall that bind_policy soft potentially opened you up to
security issues. An allow all, deny denied-people would let someone in if
ldap timed out. Variations on that would presumably leak if you throw nscd
into the mix.
Newer versions of nss_ldap support nss_initgroups_minimum_uid 500, so
presumably that has a good chance of solving your problem.
jh
More information about the CentOS
mailing list