[CentOS] LDAPs causing System Message Bus to hang when there's no network

Tue May 3 11:52:20 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 3 May 2011, Mattias Geniar wrote:

> Understandable, but since a lot of people are still going to stick with
> CentOS 4/5 for legacy reasons, I would argue that nss_ldap is still
> worth "fixing".

I'm not saying it's not worth fixing, I suspect it's fundamentally unfixable
without a complete redesign.

> It's not as fancy as sssd of course, but it's what people are using
> right now. :-)

Too much assumes that NSS information is quick and reliable.  Lots of it seems
to be designed around the assumption that random queries are expensive, and
reading through the whole password file is cheap.  nscd then perches on top of
this and tries to paper over the fact this is all untrue.

Throw nss_ldap at a big tree (~85k users, and an equally large number of
groups) and watch it suffer horribly.  Watch it take minutes to decide
whether or not I should be allowed to login (even where that access control
list is a local group).  Throw nscd into the mix.  Watch it do one query
through nscd, but then time out as it assumes nscd is broken, so does the
whole query again missing out nscd.  Wait until nscd eventually crashes under
the strain...

sssd answers a lot of these questions.  It's definitely not a perfect
replacement yet, but it's going in the right direction if you ask me.

jh