Thursday, January 31, 2008

Gutsy LDAP NSS and boot failures

So there are lots of bugs out there by disgruntled gutsy upgraders failing to boot their systems once the upgrade is complete. I was bitten by the same thing.

The upshot is that gutsy has done something with the boot order of services (especially udev it seems) which means there isn't a chicken, or an egg, to start the user DB, so the system just waits forever for nss resolution to work.

The solutions mentioned aren't quite right. The various mooted answers are as follows:
  1. Grep /etc/udev/rules.d/ for instances of GROUP= and ensure that all the groups mentioned are in the local /etc/group.
  2. Edit nsswitch.conf, putting [UNAVAIL=return] at the end of the ldap references.
However, these don't work for some reason.

There is one (fairly nasty) solution which does seem to work though, as follows:
  1. Copy /etc/nsswitch.conf to /etc/nsswitch.conf.ldap and /etc/nsswitch.conf.noldap.
  2. Edit the /etc/nsswitch.conf.noldap file to (you guessed it) not include ldap.
  3. Add the following at the end of start_slapd() in /etc/init.d/slapd:
    cp /etc/nsswitch.conf.ldap /etc/nsswitch.conf
  4. Add the following at the end of stop_slapd() in /etc/init.d/slapd:
    cp /etc/nsswitch.conf.noldap /etc/nsswitch.conf
  5. Create the file /etc/network/if-down.d/nsswitch-noldap:
    cp /etc/nsswitch.conf.noldap /etc/nsswitch.conf
  6. chmod +x /etc/network/if-down.d/nsswitch-noldap
Although on the face of it this is quite nasty, it does in fact mean that the system will keep working whether slapd is running or not, which to my mind is a good thing!

Anonymous said...

Instead of that which is fairly kludgy edit /etc/ldap.conf to have the following line:

bind_policy soft

This will allow the box to not hang if it cant get an ldap answer for a name. Alternatively you can set another ldap.conf parameter such as nss_initgroups_ignoreusers to have nssldap not bother looking groups like bin/sys/root/ldap/misclocalusergroup.


Anonymous said...

