[CentOS] LDAPs causing System Message Bus to hang when there's no network

Fri Apr 29 08:16:16 UTC 2011
Mattias Geniar <mattias at nucleus.be>

> ----
> I use the following to prevent hanging at startup with LDAP.
> 
> nss_initgroups_ignoreusers root,ldap,bacula,named
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> 
> This is because some daemons start prior to the start of OpenLDAP
> service.
> 
> Obviously adding haldaemon, dbus, radvd, tomcat, etc. or other 'users'
> for daemons that launch prior to your LDAP server application is
useful
> but those users would have to be listed in /etc/passwd|group to
> significantly benefit.
> 
> Craig

Hi Craig,

The problem I have with listing those ignoreusers, is you need to know
in advance which services are on the system, and that's not always the
case. Or if a user installs a new daemon, he'll break his start-up of
the server should he ever be unable to connect to the LDAP systems.

Perhaps I'm asking too much, but could anyone try the following config
(in a VM or so, with networking disabled)? This is the one that is
causing boots to hang indefinitely, even though there are "bind_policy
soft" parameters involved.

/etc/ldap.conf
=======================================
ldap_version 3
base ou=people,o=company
uri ldaps://srv.domain.be/ ldaps://srv2.domain.be/
scope sub
timelimit 5
bind_timelimit 5
bind_policy soft
idle_timelimit 15
timeout 5

# If the LDAP server is unavailable during boot, don't retry too often
# or the system will hang on the System Message Bus service
bind_timeout 2
#nss_reconnect_tries 2
#nss_reconnect_sleeptime 1
#nss_reconnect_maxsleeptime 3
#nss_reconnect_maxconntries 2

referrals no

ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_min_uid 5000
pam_max_uid 6000
#pam_groupdn cn= company -shared,ou=groups,o=company
pam_groupdn cn= company -managed,ou=groups,o=company
pam_member_attribute memberUid
pam_password md5

nss_base_passwd ou=people,o= company
nss_base_shadow ou=people,o= company
nss_base_group ou=groups,o= company

#debug 255
#logdir /tmp/
=======================================

Or if anyone else can spot an obvious "Dude, why the f#!? did you put in
those lines"-error, please inform me. :-)

Thanks everyone for your interest and comments!

Kind regards,
Mattias