[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd breaks NSS, NSS breaks slapd



On Tuesday 12 August 2008 12:01:16 Emmanuel Dreyfus wrote:
> On Tue, Aug 12, 2008 at 11:17:13AM +0200, Buchan Milne wrote:
> > Anyway, I will point out that this issue is more or less an FAQ on the
> > nss_ldap list.
>
> IMO, the problem is in slapd: it starts listening for requests while
> it is not ready yet for answering requests.
>
> If the listener was not ready when slapd would do its initgroups() call,
> then NSS would not contact local slapd, it would fallback to other sources
> (/etc/passwd and /etc/group), and everything would be fine.

Only for your case, where it is nss_ldap is preventing slapd from starting, 
not the case where haldaemon (or similar, but haldaemon is the most common 
suspect on RedHat-based systems).

> What about a new slapd.conf option?
> delayed_service	{none|warm|syncrepl}

Add another option, database

> and slapd would...
> ... behave as it does now for "none"
> ... return LDAP_UNAVAILABLE until initialization is completed for "warm"
> ... return LDAP_UNAVAILABLE until syncrepl catch up with master for
> "syncrepl"
return LDAP_UNAVAILABLE until all databases are recovered and started.

> The later option would fix the stupid situation where your replica starts
> and answer outdated stuff until syncrepl catch up.

Yes, this would be useful to me. But, I don't see a need for this to solve the 
chicken/egg slapd vs nss_ldap issue (because this is a sub-set of the whole 
problem).

Regards,
Buchan