Debian Bug report logs - #375077
udevd: nss_ldap: failed to bind to LDAP server -> boot fails

version graph

Package: libnss-ldap; Maintainer for libnss-ldap is Debian QA Group <packages@qa.debian.org>; Source for libnss-ldap is src:libnss-ldap.

Reported by: Michael Schultheiss <schultmc@debian.org>

Date: Fri, 23 Jun 2006 05:03:01 UTC

Severity: critical

Merged with 375215, 391167

Found in versions libnss-ldap/251-1, libnss-ldap/251-5.1

Fixed in version 251-6

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@teco.edu>:
New Bug report received and forwarded. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@teco.edu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: udevd: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Fri, 23 Jun 2006 06:55:40 +0200
Package: libnss-ldap
Version: 251-1
Severity: grave

To relevant parts of nsswitch.conf on my system look like this:

passwd:        files ldap
group:         files ldap
shadow:        files ldap

libnss_ldap is configured to query a remote LDAP server.
This makes booting stuck if you use udevd (which most systems will
do nowadays) so I'm filing this bug grave.
These are the messages I get:

INIT: version 2.86 booting
Starting the hotplug events dispatcher: udevd
udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
udevd[374]: nss_ldap: failed to bind to LDAP server ldaps://foo.bar:
Can't contact LDAP server
udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
udevd[374]: nss_ldap: failed to bind to LDAP server ldaps://foo.bar:
Can't contact LDAP server
udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
udevd[374]: nss_ldap: failed to bind to LDAP server ldaps://foo.bar:
Can't contact LDAP server
udevd[374]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)
...
And so on. The sleep interval is doubled each time(4,8,16,32,64
seconds...). The boot process get's stuck completely. If I press STRG+C,
udevd is killed and no devices are created, causing to fail the boot
process completely.

I had to boot from a rescue CD to fix this and remove the above lines
from nsswitch.conf again.

Michael

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (300, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.1
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]       1.5.2        Debian configuration management sy
ii  libc6                       2.3.6-15     GNU C Library: Shared libraries
ii  libkrb53                    1.4.3-7      MIT Kerberos runtime libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   180-1      Pluggable Authentication Module al
ii  nscd                          2.3.6-15   GNU C Library: Name Service Cache 

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Benjamin Eikel <debian@eikel.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #10 received at 375077@bugs.debian.org (full text, mbox):

From: Benjamin Eikel <debian@eikel.org>
To: 375077@bugs.debian.org
Subject: Re: udevd: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Fri, 23 Jun 2006 19:16:30 +0200
I have exactly the same bug. A friend of mine who uses Gentoo has this bug 
after the latest update too, so I think it is a bug in the upstream package, 
because the changed the bind_policy.

I have found a little workaround to be able to boot the system again:

Add the following lines to your /etc/ldap/ldap.conf or /etc/libnss-ldap.conf:

bind_policy hard
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 3

If you think the boot takes still to long, you can decrease these values 
further. Another possibility would be to use "bind_policy soft", but if I use 
that option, some other services started after udevd cannot connect to the 
LDAP server correctly.
After booting the system, I am not able to log in as a user from the LDAP 
server, no matter what settings I try. Only local users work, but only if I 
change my /etc/nsswitch.conf:

Old:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

New:
passwd:         compat ldap
group:          compat #ldap
shadow:         compat ldap

If I do not uncomment the ldap for the group database, I am not able to log in 
as a local user (e.g. root) on a local console. Log in through ssh works 
strangely.

Regards,
Benjamin



Bug reassigned from package `libnss-ldap' to `initramfs-tools'. Request was from Stephen Frost <sfrost@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#375077; Package initramfs-tools. Full text and rfc822 format available.

Acknowledgement sent to maximilian attems <maks@sternwelten.at>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 375077@bugs.debian.org (full text, mbox):

From: maximilian attems <maks@sternwelten.at>
To: 375077@bugs.debian.org, Michael Biebl <biebl@teco.edu>, Stephen Frost <sfrost@debian.org>
Subject: Re: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 09:52:45 +0200
reassign udev
stop

initramfs build by update-initramfs don't include an /etc/nsswitch.conf

> INIT: version 2.86 booting
> Starting the hotplug events dispatcher: udevd
> udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
> Can't contact LDAP server

also once INIT is called we have finished our job,
this is no longer early userspace, but usual init startups.
so passing this hot potato to udev.

i've already seen reports about this big trouble
-> http://www.jimmy.co.at/weblog/?p=70

regards

-- 
maks



Bug reassigned from package `initramfs-tools' to `udev'. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `udev' to `udev'. Request was from maximilian attems <maks@sternwelten.at> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #26 received at 375077@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
To: maximilian attems <maks@sternwelten.at>
Cc: 375077@bugs.debian.org, Michael Biebl <biebl@teco.edu>, Stephen Frost <sfrost@debian.org>
Subject: Re: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 11:56:11 +0200
[Message part 1 (text/plain, inline)]
On Jun 24, maximilian attems <maks@sternwelten.at> wrote:

> initramfs build by update-initramfs don't include an /etc/nsswitch.conf
It's not like udev does either, I think you have been a bit too fast in
reassigning this bug.

udev does not even know about LDAP, it just uses the libc interface.
What do you think it should do?
Possibly without horrible layering violations.

Maybe update-initramfs should install an useful nsswitch.conf.
How did other distributions solve this problem?

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to maximilian attems <maks@sternwelten.at>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #31 received at 375077@bugs.debian.org (full text, mbox):

From: maximilian attems <maks@sternwelten.at>
To: Marco d'Itri <md@Linux.IT>
Cc: 375077@bugs.debian.org, Michael Biebl <biebl@teco.edu>, Stephen Frost <sfrost@debian.org>
Subject: Re: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 12:10:03 +0200
On Sat, Jun 24, 2006 at 11:56:11AM +0200, Marco d'Itri wrote:
> On Jun 24, maximilian attems <maks@sternwelten.at> wrote:
> 
> > initramfs build by update-initramfs don't include an /etc/nsswitch.conf
> It's not like udev does either, I think you have been a bit too fast in
> reassigning this bug.

the weblog i've linked for had the same boot error 
and he was not using an initrd kernel.
 
> udev does not even know about LDAP, it just uses the libc interface.
> What do you think it should do?
> Possibly without horrible layering violations.

the errors happen when the sysvinit scripts call the udev scripts.
it seems udev with libnss expects an running ldap.
 
> Maybe update-initramfs should install an useful nsswitch.conf.
> How did other distributions solve this problem?

good question.


-- 
maks



Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #36 received at 375077@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
To: maximilian attems <maks@sternwelten.at>
Cc: 375077@bugs.debian.org, Michael Biebl <biebl@teco.edu>, Stephen Frost <sfrost@debian.org>
Subject: Re: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 12:15:50 +0200
[Message part 1 (text/plain, inline)]
On Jun 24, maximilian attems <maks@sternwelten.at> wrote:

> > udev does not even know about LDAP, it just uses the libc interface.
> > What do you think it should do?
> > Possibly without horrible layering violations.
> the errors happen when the sysvinit scripts call the udev scripts.
> it seems udev with libnss expects an running ldap.
All udev expects is working getpwnam(3) and getgrnam(3) functions.
If libnss_ldap cannot guarantee them to work at boot time then I think
libnss_ldap is the problem.
This issue is exposed by udev because it's the first complex program
run at boot time, but it would affect other programs too.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Stephen Frost <sfrost@snowman.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #41 received at 375077@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@snowman.net>
To: Marco d'Itri <md@Linux.IT>
Cc: maximilian attems <maks@sternwelten.at>, 375077@bugs.debian.org, Michael Biebl <biebl@teco.edu>
Subject: Re: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 08:44:32 -0400
[Message part 1 (text/plain, inline)]
* Marco d'Itri (md@Linux.IT) wrote:
> On Jun 24, maximilian attems <maks@sternwelten.at> wrote:
> 
> > > udev does not even know about LDAP, it just uses the libc interface.
> > > What do you think it should do?
> > > Possibly without horrible layering violations.
> > the errors happen when the sysvinit scripts call the udev scripts.
> > it seems udev with libnss expects an running ldap.

Huh, alright, I thought udevd was started in the initrd but apparently
it's just udev that's run during initrd and udevd (which is the source
of the issues) isn't run till after initrd.

> All udev expects is working getpwnam(3) and getgrnam(3) functions.
> If libnss_ldap cannot guarantee them to work at boot time then I think
> libnss_ldap is the problem.

It's simply not possible for libnss-ldap to provide a correct answer
before networking or the slapd daemon has been started.  I can see about
making libnss-ldap fail faster so that the boot process isn't stopped
but that's really not a terrific solution either.  The usual way this is
handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
satisfies everything till things are far enough along for libnss-ldap to
be able to work.

> This issue is exposed by udev because it's the first complex program
> run at boot time, but it would affect other programs too.

Generally, things asking for NSS can be satisifed by 'files' until
networking and other things are available.  Actually, is there any
particular reason why udevd might want something beyond what would be
in local files (ie: system accounts)?  

Another possible approach would be to have a way of not installing
'ldap' as an option in the nsswitch.conf until it can be expected to be
working.  Actually, if that could be inverted during shutdown then we
could close the "can't unmount /usr" problem when shutting down with
'ldap' in nsswitch.conf (libnss-ldap uses the LDAP libraries which are
in /usr/lib, correctly).

What I've seen other distros do has been the 'fail faster' work-around.
I can probably do that but it'd be really nice to have a good
solution...

	Thanks,

		Stephen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Gasper Zejn <zejn@kiberpipa.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #46 received at 375077@bugs.debian.org (full text, mbox):

From: Gasper Zejn <zejn@kiberpipa.org>
To: 375077@bugs.debian.org
Subject: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Sat, 24 Jun 2006 18:55:35 +0000
What about implementing check in libnss-ldap, to see if server 
is available after all?

What about checking if binding failed with no route to host, 
and just dropping retries in this case?

Regards,
Gašper Žejn



Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #51 received at 375077@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
To: Stephen Frost <sfrost@snowman.net>, 375077@bugs.debian.org
Cc: maximilian attems <maks@sternwelten.at>, Michael Biebl <biebl@teco.edu>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sat, 24 Jun 2006 23:28:01 +0200
[Message part 1 (text/plain, inline)]
On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:

> It's simply not possible for libnss-ldap to provide a correct answer
> before networking or the slapd daemon has been started.  I can see about
> making libnss-ldap fail faster so that the boot process isn't stopped
> but that's really not a terrific solution either.  The usual way this is
> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
> satisfies everything till things are far enough along for libnss-ldap to
> be able to work.
So this would be a local configuration error?

> Generally, things asking for NSS can be satisifed by 'files' until
> networking and other things are available.  Actually, is there any
> particular reason why udevd might want something beyond what would be
> in local files (ie: system accounts)?  
Somebody or some package configuring it this way.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@teco.edu>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #56 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@teco.edu>
To: Marco d'Itri <md@Linux.IT>
Cc: Stephen Frost <sfrost@snowman.net>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 00:05:02 +0200
[Message part 1 (text/plain, inline)]
Marco d'Itri wrote:
> On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:
> 
>> It's simply not possible for libnss-ldap to provide a correct answer
>> before networking or the slapd daemon has been started.  I can see about
>> making libnss-ldap fail faster so that the boot process isn't stopped
>> but that's really not a terrific solution either.  The usual way this is
>> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
>> satisfies everything till things are far enough along for libnss-ldap to
>> be able to work.
> So this would be a local configuration error?
> 

As I posted in my initial bug report I already use
'files ldap', so I can't see the configuration error you mention.
If it is one, I'd be interested what the correct configuration is.

As a sidenote, I also don't use a initrd.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #61 received at 375077@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 375077@bugs.debian.org
Subject: libnss_ldap problems during boot
Date: Sun, 25 Jun 2006 10:14:40 +0200
[Message part 1 (text/plain, inline)]
I was also bitten by this. At work we were hit earlier because we fetch
hosts from ldap (see #359713). We have modified /etc/init.d/udev to
edit /etc/nsswitch.conf on the fly (this is obviously a dirty hack).

Maybe it's a good idea to only enable libnss_ldap in the boot process
after networking is available and/or slapd has been started?

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Sergio Talens-Oliag <sto@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #66 received at 375077@bugs.debian.org (full text, mbox):

From: Sergio Talens-Oliag <sto@debian.org>
To: Michael Biebl <biebl@teco.edu>
Cc: Marco d'Itri <md@Linux.IT>, Stephen Frost <sfrost@snowman.net>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 15:43:47 +0200
[Message part 1 (text/plain, inline)]
El Sun, Jun 25, 2006 at 12:05:02AM +0200, Michael Biebl va escriure:
> Marco d'Itri wrote:
> > On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:
> >> It's simply not possible for libnss-ldap to provide a correct answer
> >> before networking or the slapd daemon has been started.  I can see about
> >> making libnss-ldap fail faster so that the boot process isn't stopped
> >> but that's really not a terrific solution either.  The usual way this is
> >> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
> >> satisfies everything till things are far enough along for libnss-ldap to
> >> be able to work.
> > So this would be a local configuration error?
> 
> As I posted in my initial bug report I already use
> 'files ldap', so I can't see the configuration error you mention.
> If it is one, I'd be interested what the correct configuration is.
> 
> As a sidenote, I also don't use a initrd.

Have you tried the configuration proposed on bug#349509?:

  passwd: files ldap [UNAVAIL=return]
  group:  files ldap [UNAVAIL=return]

It worked for me on a configuration similar to yours.

-- 
Sergio Talens-Oliag <sto@debian.org>   <http://people.debian.org/~sto/>
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Stephen Frost <sfrost@snowman.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #71 received at 375077@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@snowman.net>
To: Michael Biebl <biebl@teco.edu>
Cc: Marco d'Itri <md@Linux.IT>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 11:42:14 -0400
[Message part 1 (text/plain, inline)]
* Michael Biebl (biebl@teco.edu) wrote:
> Marco d'Itri wrote:
> > On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:
> > 
> >> It's simply not possible for libnss-ldap to provide a correct answer
> >> before networking or the slapd daemon has been started.  I can see about
> >> making libnss-ldap fail faster so that the boot process isn't stopped
> >> but that's really not a terrific solution either.  The usual way this is
> >> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
> >> satisfies everything till things are far enough along for libnss-ldap to
> >> be able to work.
> > So this would be a local configuration error?
> 
> As I posted in my initial bug report I already use
> 'files ldap', so I can't see the configuration error you mention.
> If it is one, I'd be interested what the correct configuration is.

The error we're talking about would actually be having a user or group
which udev wants to create a device for not in your /etc/passwd and
/etc/group local files respectively.  Do you think that might be the
case here?  Also, have you tried waiting it out?  Each request would end
up taking about 2 minutes, but technically it *should* give up
eventually..

	Thanks,

		Stephen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Stephen Frost <sfrost@snowman.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #76 received at 375077@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@snowman.net>
To: Gasper Zejn <zejn@kiberpipa.org>, 375215@bugs.debian.org
Cc: Michael Biebl <biebl@teco.edu>, Sergio Talens-Oliag <sto@debian.org>, Marco d'Itri <md@Linux.IT>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375215: libnss-ldap hangs udev at startup
Date: Sun, 25 Jun 2006 12:14:53 -0400
[Message part 1 (text/plain, inline)]
* Gasper Zejn (zejn@kiberpipa.org) wrote:
> [pid  5186] connect(7, {sa_family=AF_INET, 
> sin_port=htons(389), sin_addr=inet_addr("10.10.7.99")}, 16) 
> = -1 ENETUNREACH (Network is unreachable)
> 
> clearly means network is not setup properly to be able to 
> reach LDAP server, since there's no matching route.
> 
> The 'getent passwd' command also blocks, while waiting for 
> response from unavailable LDAP server. The old libnss-ldap 
> returned immediately.
> 
> That's why I think this is a bug in libnss-ldap, not in udev.

The problem is that the LDAP library doesn't come back with "Network is
unreachable", it comes back with "LDAP_UNAVAILABLE" or
"LDAP_SERVER_DOWN", in either case it might be a transient error (LDAP
server is being restarted, temporary network hiccup, etc) and you
wouldn't want to fail right away for that (if you do, configure
libnss-ldap to have 'bind_policy soft').

I've been looking into a way for libnss-ldap to be able to tell if the
error was 'network unreachable' but it's not as easy as one might hope.
Additionally, when the local server *is* the LDAP server in question
you're not going to get a 'network unreachable' but rather a 'port
closed' or similar error and I'm not sure how you'd differentiate that
from someone restarting the server and it being down for a second.

I'm starting to think it might make sense to essentially check for
'boot-still-in-progress' and just fail requests until the system is
fully booted to a point where most daemons have been started (in case
the LDAP server is the local slapd) and networking should be available
(if it's going to end up being available at all).  This would
essentially *force* anything during boot to be available via files, but
I don't really think that's unreasonable.

Thoughts?

	Thanks,

		Stephen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@teco.edu>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #81 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@teco.edu>
To: Sergio Talens-Oliag <sto@debian.org>
Cc: Marco d'Itri <md@Linux.IT>, Stephen Frost <sfrost@snowman.net>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 18:15:51 +0200
[Message part 1 (text/plain, inline)]
Sergio Talens-Oliag wrote:
> El Sun, Jun 25, 2006 at 12:05:02AM +0200, Michael Biebl va escriure:
>> Marco d'Itri wrote:
>>> On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:
>>>> It's simply not possible for libnss-ldap to provide a correct answer
>>>> before networking or the slapd daemon has been started.  I can see about
>>>> making libnss-ldap fail faster so that the boot process isn't stopped
>>>> but that's really not a terrific solution either.  The usual way this is
>>>> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
>>>> satisfies everything till things are far enough along for libnss-ldap to
>>>> be able to work.
>>> So this would be a local configuration error?
>> As I posted in my initial bug report I already use
>> 'files ldap', so I can't see the configuration error you mention.
>> If it is one, I'd be interested what the correct configuration is.
>>
>> As a sidenote, I also don't use a initrd.
> 
> Have you tried the configuration proposed on bug#349509?:
> 
>   passwd: files ldap [UNAVAIL=return]
>   group:  files ldap [UNAVAIL=return]
> 
> It worked for me on a configuration similar to yours.

Thanks for the pointer but unfortunately it does not work for me.
I also tried with [NOTFOUND=return] as suggested in one of the example
files in /usr/share/doc/libnss-ldap.

Did you test this setup with the lates libnss-ldap package from unstable?

Cheers,
Michael


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@teco.edu>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #86 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@teco.edu>
To: Stephen Frost <sfrost@snowman.net>
Cc: Marco d'Itri <md@Linux.IT>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 18:19:10 +0200
[Message part 1 (text/plain, inline)]
Stephen Frost wrote:
> * Michael Biebl (biebl@teco.edu) wrote:
>> Marco d'Itri wrote:
>>> On Jun 24, Stephen Frost <sfrost@snowman.net> wrote:
>>>
>>>> It's simply not possible for libnss-ldap to provide a correct answer
>>>> before networking or the slapd daemon has been started.  I can see about
>>>> making libnss-ldap fail faster so that the boot process isn't stopped
>>>> but that's really not a terrific solution either.  The usual way this is
>>>> handled is that an nsswitch.conf is set up with 'files ldap' and 'files'
>>>> satisfies everything till things are far enough along for libnss-ldap to
>>>> be able to work.
>>> So this would be a local configuration error?
>> As I posted in my initial bug report I already use
>> 'files ldap', so I can't see the configuration error you mention.
>> If it is one, I'd be interested what the correct configuration is.
> 
> The error we're talking about would actually be having a user or group
> which udev wants to create a device for not in your /etc/passwd and
> /etc/group local files respectively.  Do you think that might be the

No, I don't have system groups/users in ldap, only user accounts which
should not be needed by udev (at least I did not setup a udev rule which
required a ldap user).

> case here?  Also, have you tried waiting it out?  Each request would end
> up taking about 2 minutes, but technically it *should* give up
> eventually..

I waited for something like 10min without success. But honestly this
wouldn't be a proper solution anyways.

Cheers,
Michael

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Sergio Talens-Oliag <sto@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #91 received at 375077@bugs.debian.org (full text, mbox):

From: Sergio Talens-Oliag <sto@debian.org>
To: Michael Biebl <biebl@teco.edu>
Cc: Marco d'Itri <md@Linux.IT>, Stephen Frost <sfrost@snowman.net>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Sun, 25 Jun 2006 21:02:59 +0200
[Message part 1 (text/plain, inline)]
El Sun, Jun 25, 2006 at 06:15:51PM +0200, Michael Biebl va escriure:
> > Have you tried the configuration proposed on bug#349509?:
> > 
> >   passwd: files ldap [UNAVAIL=return]
> >   group:  files ldap [UNAVAIL=return]
> > 
> > It worked for me on a configuration similar to yours.
> 
> Thanks for the pointer but unfortunately it does not work for me.
> I also tried with [NOTFOUND=return] as suggested in one of the example
> files in /usr/share/doc/libnss-ldap.
> 
> Did you test this setup with the lates libnss-ldap package from unstable?

No, sorry, I don't have access to the machines that used this setup right now,
and anyway they will not show this behaviour as I changed them to enable or
disable network related configurations using scripts on /etc/network/if-up.d/
and /etc/network/if-down.d/ to be able to boot with a simple configuration and
enable the use of services like LDAP or CUPS or perform tasks like mounting
public shares from a server only if a known network is detected.

-- 
Sergio Talens-Oliag <sto@debian.org>   <http://people.debian.org/~sto/>
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69
[signature.asc (application/pgp-signature, inline)]

Reply sent to Stephen Frost <sfrost@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Michael Biebl <biebl@teco.edu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #96 received at 375077-close@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@debian.org>
To: 375077-close@bugs.debian.org
Subject: Bug#375077: fixed in libnss-ldap 251-4
Date: Mon, 26 Jun 2006 11:17:09 -0700
Source: libnss-ldap
Source-Version: 251-4

We believe that the bug you reported is fixed in the latest version of
libnss-ldap, which is due to be installed in the Debian FTP archive:

libnss-ldap_251-4.diff.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_251-4.diff.gz
libnss-ldap_251-4.dsc
  to pool/main/libn/libnss-ldap/libnss-ldap_251-4.dsc
libnss-ldap_251-4_amd64.deb
  to pool/main/libn/libnss-ldap/libnss-ldap_251-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 375077@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Frost <sfrost@debian.org> (supplier of updated libnss-ldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 26 Jun 2006 14:03:21 -0400
Source: libnss-ldap
Binary: libnss-ldap
Architecture: source amd64
Version: 251-4
Distribution: unstable
Urgency: low
Maintainer: Stephen Frost <sfrost@debian.org>
Changed-By: Stephen Frost <sfrost@debian.org>
Description: 
 libnss-ldap - NSS module for using LDAP as a naming service
Closes: 375077 375215
Changes: 
 libnss-ldap (251-4) unstable; urgency=low
 .
   * Added system which implicitly sets bind_policy to 'soft'
     during system boot/shutdown.  This is implemented by an
     init script run at end of system boot and start of system
     shutdown which creates/removes a file in /var/lib/libnss-ldap
     called 'bind_policy_soft'.  When this file exists the policy
     is treated as 'soft' regardless of the configuration in
     /etc/nss-ldap.conf.  Note that soft doesn't mean 'always
     fail' but rather only try to connect to each URI listed in
     the configuration file once, with no sleeping.
     Closes: #375077, #375215
Files: 
 c6bb562c3f4a52062665fb6956ffa598 669 net extra libnss-ldap_251-4.dsc
 d71dd39fbf1c96c96c5ef624518682e5 115203 net extra libnss-ldap_251-4.diff.gz
 42b9c63ea9d7f2ae4eb3fdec69369672 98588 net extra libnss-ldap_251-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEoCKorzgMPqB3kigRAuJ4AJ9HCTk4x053xpkh6urjFO2igub/pgCgiKI/
wDJSwVGQStaBXRw9Nod2Idw=
=zjZf
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Stephen Frost <sfrost@snowman.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #101 received at 375077@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@snowman.net>
To: Michael Biebl <biebl@teco.edu>
Cc: Marco d'Itri <md@Linux.IT>, 375077@bugs.debian.org, maximilian attems <maks@sternwelten.at>
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Mon, 26 Jun 2006 15:17:05 -0400
[Message part 1 (text/plain, inline)]
* Michael Biebl (biebl@teco.edu) wrote:
> > case here?  Also, have you tried waiting it out?  Each request would end
> > up taking about 2 minutes, but technically it *should* give up
> > eventually..
> 
> I waited for something like 10min without success. But honestly this
> wouldn't be a proper solution anyways.

Please try 251-5, I believe it'll help...

	Thanks,

		Stephen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@teco.edu>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #106 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@teco.edu>
To: 375077@bugs.debian.org
Subject: Re: Bug#375077 closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Tue, 27 Jun 2006 02:02:20 +0200
[Message part 1 (text/plain, inline)]
> Changes:
>  libnss-ldap (251-4) unstable; urgency=low
>  .
>    * Added system which implicitly sets bind_policy to 'soft'
>      during system boot/shutdown.  This is implemented by an
>      init script run at end of system boot and start of system
>      shutdown which creates/removes a file in /var/lib/libnss-ldap
>      called 'bind_policy_soft'.  When this file exists the policy
>      is treated as 'soft' regardless of the configuration in
>      /etc/nss-ldap.conf.  Note that soft doesn't mean 'always

But doesn't that mean that this approach this fails for systems which
have /var on a seperate partition (not that uncommon for a server)
because /var is not yet mounted when udevd is run from the initrd?

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#375077; Package udev. Full text and rfc822 format available.

Acknowledgement sent to maximilian attems <maks@sternwelten.at>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>. Full text and rfc822 format available.

Message #111 received at 375077@bugs.debian.org (full text, mbox):

From: maximilian attems <maks@sternwelten.at>
To: Michael Biebl <biebl@teco.edu>, 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Tue, 27 Jun 2006 09:18:37 +0200
On Tue, Jun 27, 2006 at 02:02:20AM +0200, Michael Biebl wrote:
> > Changes:
> >  libnss-ldap (251-4) unstable; urgency=low
> >  .
> >    * Added system which implicitly sets bind_policy to 'soft'
> >      during system boot/shutdown.  This is implemented by an
> >      init script run at end of system boot and start of system
> >      shutdown which creates/removes a file in /var/lib/libnss-ldap
> >      called 'bind_policy_soft'.  When this file exists the policy
> >      is treated as 'soft' regardless of the configuration in
> >      /etc/nss-ldap.conf.  Note that soft doesn't mean 'always
> 
> But doesn't that mean that this approach this fails for systems which
> have /var on a seperate partition (not that uncommon for a server)
> because /var is not yet mounted when udevd is run from the initrd?

please don't confuse things.
udevd run in the initramfs was _not_ the problem,
udevd startup in early init uncovered that libnss-ldap characteristic,
when network is not yet there.

regards

-- 
maks



Bug reassigned from package `udev' to `libnss-ldap'. Request was from Marco d'Itri <md@linux.it> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Schultheiss <schultmc@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #118 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Schultheiss <schultmc@debian.org>
To: Stephen Frost <sfrost@snowman.net>, control@bugs.debian.org
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Mon, 17 Jul 2006 12:25:18 -0400
reopen 375077 !
kthxbye

Stephen Frost wrote:
> * Michael Biebl (biebl@teco.edu) wrote:
> > > case here?  Also, have you tried waiting it out?  Each request would end
> > > up taking about 2 minutes, but technically it *should* give up
> > > eventually..
> > 
> > I waited for something like 10min without success. But honestly this
> > wouldn't be a proper solution anyways.
> 
> Please try 251-5, I believe it'll help...

I have 251-5 installed and am still seeing:

udevd[PID]: nss_ldap: failed to bind to LDAP server

I temporarily edited /etc/nsswitch.conf and removed the ldap entries so
the system would boot, then re-added them and restarted libnss-ldap.

-- 
---------------------------
Michael Schultheiss
E-mail: schultmc@debian.org



Bug reopened, originator set to Michael Schultheiss <schultmc@debian.org>. Request was from Michael Schultheiss <schultmc@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Bram Duvigneau <bram@bramd.nl>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #125 received at 375077@bugs.debian.org (full text, mbox):

From: Bram Duvigneau <bram@bramd.nl>
To: 375077@bugs.debian.org
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Fri, 28 Jul 2006 14:57:12 +0200
> I have 251-5 installed and am still seeing: 
> udevd[PID]: nss_ldap: failed to bind to LDAP server 

I had the same problem with 251-5. I used "compat ldap" in my nsswitch.conf, it
will work if you change compat to files.

Bram





Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Schultheiss <schultmc@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #130 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Schultheiss <schultmc@debian.org>
To: Bram Duvigneau <bram@bramd.nl>
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: initrd needs its own, static, nsswitch.conf
Date: Thu, 10 Aug 2006 11:57:34 -0400
Bram Duvigneau wrote:
> > I have 251-5 installed and am still seeing: 
> > udevd[PID]: nss_ldap: failed to bind to LDAP server 
> 
> I had the same problem with 251-5. I used "compat ldap" in my
> nsswitch.conf, it will work if you change compat to files.

My /etc/nsswitch.conf file already contains "files ldap":

group:          files ldap
passwd:         files ldap
shadow:         files ldap

-- 
---------------------------
Michael Schultheiss
E-mail: schultmc@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Laurent Bonnaud <bonnaud@lis.inpg.fr>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #135 received at 375077@bugs.debian.org (full text, mbox):

From: Laurent Bonnaud <bonnaud@lis.inpg.fr>
To: 375077@bugs.debian.org
Subject: Re: udevd: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Wed, 30 Aug 2006 19:29:09 +0200
Hi,

I think that I know why some people still see this bug and have reopened
it.

The fix implemented by Stephen (thanks BTW!) is documented
in /var/lib/dpkg/info/libnss-ldap.postinst :

# The /var/lib/libnss-ldap directory is used for one purpose:
# to provide a place to store the 'bind_policy_soft' flag file
# which is created on system shutdown and removed once the system
# has restarted.  The existance of this file changes the bind_policy
# to 'soft', which means that NSS lookups fail immediately when no
# LDAP server is available.  This is sensible during the boot process
# since networking might not be available.
chmod 755 /var/lib/libnss-ldap

# Automatically added by dh_installinit
if [ -x "/etc/init.d/libnss-ldap" ]; then
        update-rc.d libnss-ldap defaults 99 01 >/dev/null
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
                invoke-rc.d libnss-ldap start || exit $?
        else
                /etc/init.d/libnss-ldap start || exit $?
        fi
fi
# End automatically added section

This assumes that the system has been cleanly halted.  If not
the /var/lib/libnss-ldap/bind_policy_soft file is not created and the
next boot fails.

Why not do the following instead?

 - create the bind_policy_soft file on boot before the udev start
 - remove it after the network has been started

-- 
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/





Tags added: fixed Request was from sesse@debian.org (Steinar H. Gunderson) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to "Steinar H. Gunderson" <sesse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Michael Schultheiss <schultmc@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #142 received at 375077-done@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sesse@debian.org>
To: 375077-done@bugs.debian.org, 376426-done@bugs.debian.org, 376684-done@bugs.debian.org, 386141-done@bugs.debian.org, 388574-done@bugs.debian.org
Subject: Re: Fixed in NMU of libnss-ldap 251-5.2
Date: Sat, 30 Sep 2006 01:26:21 +0200
Version: 251-5.2

I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:

>  libnss-ldap (251-5.2) unstable; urgency=high
>  .
>    * Non-maintainer upload.
>    * When doing substitutions in libnss-ldap.conf, pass the values to the Perl
>      program as environment variables instead of directly to the program;
>      should eliminate the problems with having to escape them.
>      (Closes: #376684, #386141)
>    * Change the init script policy. Instead of stopping libnss-ldap.init on
>      clean shutdown (touching a file) and starting it after networking (rm-ing
>      it), we touch the file in /lib/init/rw as soon as possible (right before
>      udev is started, touching a file) and stop it after initial system bootup.
>      This fixes both issues with /var being on a separate partition, and
>      unclean shutdown where the file would not be created. (To make sure we
>      don't get similar problems during shutdown, we create it in runlevels 0
>      and 6 as before, but we don't assume it's still there when we boot, since
>      it's on a tmpfs now.) (Closes: #375077)
>    * Block SIGPIPE in do_atfork_child(), as some versions of libldap2 in some
>      circumstances (notably with TLS enabled) write data onto our dummy socket
>      during close, which raises a SIGPIPE that should not be delivered on to the
>      application. (Closes: #376426, #388574)

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Krzysztof Raczkowski <raczkow@prz.edu.pl>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #147 received at 375077@bugs.debian.org (full text, mbox):

From: Krzysztof Raczkowski <raczkow@prz.edu.pl>
To: 375077@bugs.debian.org
Subject: libnss-ldap 251-5.2 still broken for me
Date: Wed, 11 Oct 2006 09:58:20 +0200
libnss-ldap            251-5.2
udev                   0.100-2

1. I needed to manually run:

update-rc.d libnss-ldap start 03 S . start 01 0 . stop 01 2 . stop 01 3 . 
stop 01 4 . stop 01 5 . start 01 6 .

right after I manually removed old libnss-ldap scripts:

update-rc.d -f libnss-ldap remove

Otherwise I had old links in /etc/rc*.d, which was not correct


2. It still doesn't work with soft bind:

First I got message during system boot:

touch: cannot touch /lib/init/rw/libnss-ldap.bind_policy_soft: No such file 
or directory

Of course there's no /lib/init/rw/ directory, so I created it:

mkdir /lib/init/rw/


3. But it STILL doesn't work:

touch: cannot touch `/lib/init/rw/libnss-ldap.bind_policy_soft': Read-only 
file system

I'm using libnss-ldap + udev on Xen DomU (on Etch), but I checked 'normal' 
Etch and got the same errors.

Whtat's wrong with my systems?

-- 
Krzysztof Raczkowski
Rzeszow University of Technology
System Administrator of CZ RMSK
tel.: +48 (17) 865-13-93; e-mail: raczkow@prz.edu.pl



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #152 received at 375077@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 375077@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: udevd: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Sat, 14 Oct 2006 01:34:44 +0200
reopen 375077
thanks bts

Hello,

udev 0.100-2
libnss-ldap 251-5.2

When I upgrade to libnss-ldap 251-5.2, old init script links are
always here and then with bad sequence numbers. Indeed,
update-rc.d in postinst failed with :
System startup links for /etc/init.d/libnss-ldap already exist.
 
Here is hacky patch for postinst :

if [ -x "/etc/init.d/libnss-ldap" ]; then
    update-rc.d -f libnss-ldap remove >/dev/null
    update-rc.d libnss-ldap start 03 S . start 01 0 6 . stop 01 2 3 4 5 . >/dev/null || exit $?
fi


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/



Bug reopened, originator not changed. Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `critical' from `grave' Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 375077 375215 391167. Request was from Peter Eisentraut <petere@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #165 received at 375077@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: 375077@bugs.debian.org
Cc: 390926@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#375077: udevd: nss_ldap: failed to bind to LDAP server -> boot fails
Date: Mon, 16 Oct 2006 13:22:37 +0200
[Message part 1 (text/plain, inline)]
Here is a patch which summarized this discussion.  I've tested this on a 
number of systems and it satisfactorily fixes the "doesn't boot" problem.

Note to -release: This needs the initscripts version from unstable, which is 
frozen.
[libnss-ldap-375077.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Jean-Louis MOUNIER <jean-louis.mounier@laposte.net>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #170 received at 375077@bugs.debian.org (full text, mbox):

From: Jean-Louis MOUNIER <jean-louis.mounier@laposte.net>
To: 375077@bugs.debian.org
Subject: Problem still not solved ?
Date: Mon, 16 Oct 2006 17:49:35 +0200
I am a ldap and libnss-ldap user.

I just installed a fresh system last saturday and it seems to that the  
/lib/init/rw directory is not created during libnss-ldap package 
installation, so that the fix doesn't work. I had to create this 
directory by hand to make my system start normaly.

Maybe I'm wrong but could you check this issue...

A modest contribution from an anthousiastic user...

Regards




Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to udo waechter <udo.waechter@uni-osnabrueck.de>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #175 received at 375077@bugs.debian.org (full text, mbox):

From: udo waechter <udo.waechter@uni-osnabrueck.de>
To: 375077@bugs.debian.org
Subject: root-fs readonly starting libnss-ldap
Date: Wed, 01 Nov 2006 17:55:30 +0100
A last problem with this bug remains:

When /etc/init.d/libnss-ldap is executed (i.e. started) the 
root-filesystem is still mounted read-only.

Thus, the 'touch' command fails. We have solved this issue by adding:

"mount -n -o remount,rw /"
       before the 'touch' and
"mount -n -o remount,ro /"
      after the touch.

This solves the bug yes, but in my opinion all solutions provided here 
are somwhat a hack. Should not the nss-library itself be aware of non 
existing network-connections? If we have no network, why should then a 
library try to connect a network service at all?

Have fun fixing the bug,
udo.



Reply sent to Stephen Frost <sfrost@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Michael Schultheiss <schultmc@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #180 received at 375077-close@bugs.debian.org (full text, mbox):

From: Stephen Frost <sfrost@debian.org>
To: 375077-close@bugs.debian.org
Subject: Bug#375077: fixed in libnss-ldap 251-6
Date: Fri, 03 Nov 2006 18:47:30 -0800
Source: libnss-ldap
Source-Version: 251-6

We believe that the bug you reported is fixed in the latest version of
libnss-ldap, which is due to be installed in the Debian FTP archive:

libnss-ldap_251-6.diff.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_251-6.diff.gz
libnss-ldap_251-6.dsc
  to pool/main/libn/libnss-ldap/libnss-ldap_251-6.dsc
libnss-ldap_251-6_amd64.deb
  to pool/main/libn/libnss-ldap/libnss-ldap_251-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 375077@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Frost <sfrost@debian.org> (supplier of updated libnss-ldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 22 Oct 2006 19:19:59 -0400
Source: libnss-ldap
Binary: libnss-ldap
Architecture: source amd64
Version: 251-6
Distribution: unstable
Urgency: low
Maintainer: Stephen Frost <sfrost@debian.org>
Changed-By: Stephen Frost <sfrost@debian.org>
Description: 
 libnss-ldap - NSS module for using LDAP as a naming service
Closes: 375077 375215 377895 390241 390926 390957 391053 391167 391829 394152
Changes: 
 libnss-ldap (251-6) unstable; urgency=low
 .
   * Acknowledge NMUs (Closes: #377895, #390241, #390957)
   * Resolve timing issues,
     Closes: #375077, #375215, #390926, #391053, #391167, #394152, #391829
Files: 
 c3313601fbda4794f0ee940c65784897 669 net extra libnss-ldap_251-6.dsc
 346c7b583c98376dc452ce8a560328a3 118805 net extra libnss-ldap_251-6.diff.gz
 7a4f26e121d21ff235595d7bbb2c68b5 100350 net extra libnss-ldap_251-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFS/36rzgMPqB3kigRAhzgAJ9FO9MqddmNqc6AY97QsGbaqwVUuACeIVhh
T//scPH2J0t+ruTS0y/ejLk=
=Tu+2
-----END PGP SIGNATURE-----




Reply sent to Stephen Frost <sfrost@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Gasper Zejn <zejn@kiberpipa.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Stephen Frost <sfrost@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "guy.roussin" <guy.roussin@teledetection.fr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Marcin Giedz <giedz@arise.pl>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #195 received at 375077@bugs.debian.org (full text, mbox):

From: Marcin Giedz <giedz@arise.pl>
To: 375077@bugs.debian.org
Subject: libnss_ldap still produces a little mess...
Date: Fri, 24 Nov 2006 16:47:00 +0100
Hello,

I've got libnss-ldap ver. 251-7. My system boots up OK but there are 
still some messages saying :
udevd: nss_ldap ..can not conntact LDAP and several times group names 
are listed 'nvram, etc....'

Actually I can't provide accurate message because I don't know how to 
log such information :( - if any one can please provide any hint how to 
do this I can be more precise.

Anyway this doesn't hang system but still needs to 'touch 
/lib/init/rw/xxxxx '

Regards,
Marcin



Bug reopened, originator not changed. Request was from "Daniel J. Priem" <daniel@flexserv.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 251-6, send any further explanations to Michael Schultheiss <schultmc@debian.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #204 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 375077@bugs.debian.org
Cc: control@bugs.debian.org, sfrost@snowman.net
Subject: Re: Bug#375077 closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Fri, 23 Mar 2007 00:21:53 +0100
[Message part 1 (text/plain, inline)]
found 375077 251-7.4
thanks


>  libnss-ldap (251-4) unstable; urgency=low
>  .
>    * Added system which implicitly sets bind_policy to 'soft'
>      during system boot/shutdown.  This is implemented by an
>      init script run at end of system boot and start of system
>      shutdown which creates/removes a file in /var/lib/libnss-ldap
>      called 'bind_policy_soft'.  When this file exists the policy
>      is treated as 'soft' regardless of the configuration in
>      /etc/nss-ldap.conf.  Note that soft doesn't mean 'always
>      fail' but rather only try to connect to each URI listed in
>      the configuration file once, with no sleeping.
>      Closes: #375077, #375215


Seems as the current version does not contain the init script anymore
and I'm seeing the udev error messages on bootup again.

Cheers,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Bug marked as found in version 251-7.4. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Thu, 22 Mar 2007 23:24:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #211 received at 375077@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Michael Biebl <biebl@debian.org>, 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Thu, 22 Mar 2007 16:46:19 -0700
notfound 375077 251-7.4
thanks

On Fri, Mar 23, 2007 at 12:21:53AM +0100, Michael Biebl wrote:
> >  libnss-ldap (251-4) unstable; urgency=low

> >    * Added system which implicitly sets bind_policy to 'soft'
> >      during system boot/shutdown.  This is implemented by an
> >      init script run at end of system boot and start of system
> >      shutdown which creates/removes a file in /var/lib/libnss-ldap
> >      called 'bind_policy_soft'.  When this file exists the policy
> >      is treated as 'soft' regardless of the configuration in
> >      /etc/nss-ldap.conf.  Note that soft doesn't mean 'always
> >      fail' but rather only try to connect to each URI listed in
> >      the configuration file once, with no sleeping.
> >      Closes: #375077, #375215

> Seems as the current version does not contain the init script anymore
> and I'm seeing the udev error messages on bootup again.

No, no changes were ever made that would eliminate the udev error messages.
The change that was made was to prevent the system from *hanging* at boot.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Bug marked as not found in version 251-7.4. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Thu, 22 Mar 2007 23:48:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #218 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Fri, 23 Mar 2007 01:29:17 +0100
[Message part 1 (text/plain, inline)]
Steve Langasek wrote:
> notfound 375077 251-7.4
> thanks
> 
> On Fri, Mar 23, 2007 at 12:21:53AM +0100, Michael Biebl wrote:
>>>  libnss-ldap (251-4) unstable; urgency=low
> 
>>>    * Added system which implicitly sets bind_policy to 'soft'
>>>      during system boot/shutdown.  This is implemented by an
>>>      init script run at end of system boot and start of system
>>>      shutdown which creates/removes a file in /var/lib/libnss-ldap
>>>      called 'bind_policy_soft'.  When this file exists the policy
>>>      is treated as 'soft' regardless of the configuration in
>>>      /etc/nss-ldap.conf.  Note that soft doesn't mean 'always
>>>      fail' but rather only try to connect to each URI listed in
>>>      the configuration file once, with no sleeping.
>>>      Closes: #375077, #375215
> 
>> Seems as the current version does not contain the init script anymore
>> and I'm seeing the udev error messages on bootup again.
> 
> No, no changes were ever made that would eliminate the udev error messages.
> The change that was made was to prevent the system from *hanging* at boot.
> 

Hm, ok. But it's still not rather comforting to see this huge amount of
error messages during startup.
I'd consider this bug only half-fixed.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #223 received at 375077@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Michael Biebl <biebl@debian.org>, 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Thu, 22 Mar 2007 17:38:50 -0700
On Fri, Mar 23, 2007 at 01:29:17AM +0100, Michael Biebl wrote:
> > No, no changes were ever made that would eliminate the udev error messages.
> > The change that was made was to prevent the system from *hanging* at boot.

> Hm, ok. But it's still not rather comforting to see this huge amount of
> error messages during startup.
> I'd consider this bug only half-fixed.

Well, sorry, but I don't see how any other fix is possible for libnss-ldap.
It's a fact that udev does lookups for users/groups that are not guaranteed
to exist on the local system, and I don't think libnss-ldap should be
responsible for trying to munge the user's /etc/nsswitch.conf on boot to
avoid all LDAP lookups.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #228 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Fri, 23 Mar 2007 02:42:15 +0100
[Message part 1 (text/plain, inline)]
Steve Langasek wrote:
> On Fri, Mar 23, 2007 at 01:29:17AM +0100, Michael Biebl wrote:
>>> No, no changes were ever made that would eliminate the udev error messages.
>>> The change that was made was to prevent the system from *hanging* at boot.
> 
>> Hm, ok. But it's still not rather comforting to see this huge amount of
>> error messages during startup.
>> I'd consider this bug only half-fixed.
> 
> Well, sorry, but I don't see how any other fix is possible for libnss-ldap.
> It's a fact that udev does lookups for users/groups that are not guaranteed
> to exist on the local system, and I don't think libnss-ldap should be
> responsible for trying to munge the user's /etc/nsswitch.conf on boot to
> avoid all LDAP lookups.
> 

Imo there is a solution:
The problem is, that libnss-ldap retries several times before it gives
up (because there is no network connection yet). While this makes sense
during normal operation, it doesn't make sense during bootup.
So my suggestion would be:
The first time, libnss-ldap can successfully query the (remote) ldap
server, it creates a file, lets call it /var/run/nss-ldap-connected.
Only if this file exists, libnss-ldap retries multiple times on network
outages.
This file is deleted on shutdown.
On startup, if the file does not exist yet, nss-ldap does not retry to
connect several times but immediately returns nothing if it cant connect
to the server.

Does that sound reasonable?

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #233 received at 375077@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Thu, 22 Mar 2007 19:45:47 -0700
On Fri, Mar 23, 2007 at 02:42:15AM +0100, Michael Biebl wrote:
> > Well, sorry, but I don't see how any other fix is possible for libnss-ldap.
> > It's a fact that udev does lookups for users/groups that are not guaranteed
> > to exist on the local system, and I don't think libnss-ldap should be
> > responsible for trying to munge the user's /etc/nsswitch.conf on boot to
> > avoid all LDAP lookups.

> Imo there is a solution:
> The problem is, that libnss-ldap retries several times before it gives
> up (because there is no network connection yet). While this makes sense
> during normal operation, it doesn't make sense during bootup.
> So my suggestion would be:
> The first time, libnss-ldap can successfully query the (remote) ldap
> server, it creates a file, lets call it /var/run/nss-ldap-connected.
> Only if this file exists, libnss-ldap retries multiple times on network
> outages.
> This file is deleted on shutdown.
> On startup, if the file does not exist yet, nss-ldap does not retry to
> connect several times but immediately returns nothing if it cant connect
> to the server.

> Does that sound reasonable?

It sounds like a kludge to me, but I'm not the package maintainer so it's
not really my decision.  Anyway, I don't think nss-ldap has to retry
anything to cause udev error messages, just a single lookup seems to be
enough.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Frost <sfrost@debian.org>:
Bug#375077; Package libnss-ldap. Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Frost <sfrost@debian.org>. Full text and rfc822 format available.

Message #238 received at 375077@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 375077@bugs.debian.org
Subject: Re: Bug#375077: closed by Stephen Frost <sfrost@debian.org> (Bug#375077: fixed in libnss-ldap 251-4)
Date: Sat, 24 Mar 2007 16:23:36 +0100
[Message part 1 (text/plain, inline)]
Steve Langasek wrote:
> On Fri, Mar 23, 2007 at 02:42:15AM +0100, Michael Biebl wrote:
>>> Well, sorry, but I don't see how any other fix is possible for libnss-ldap.
>>> It's a fact that udev does lookups for users/groups that are not guaranteed
>>> to exist on the local system, and I don't think libnss-ldap should be
>>> responsible for trying to munge the user's /etc/nsswitch.conf on boot to
>>> avoid all LDAP lookups.
> 
>> Imo there is a solution:
>> The problem is, that libnss-ldap retries several times before it gives
>> up (because there is no network connection yet). While this makes sense
>> during normal operation, it doesn't make sense during bootup.
>> So my suggestion would be:
>> The first time, libnss-ldap can successfully query the (remote) ldap
>> server, it creates a file, lets call it /var/run/nss-ldap-connected.
>> Only if this file exists, libnss-ldap retries multiple times on network
>> outages.
>> This file is deleted on shutdown.
>> On startup, if the file does not exist yet, nss-ldap does not retry to
>> connect several times but immediately returns nothing if it cant connect
>> to the server.
> 
>> Does that sound reasonable?
> 
> It sounds like a kludge to me, but I'm not the package maintainer so it's
> not really my decision.  Anyway, I don't think nss-ldap has to retry
> anything to cause udev error messages, just a single lookup seems to be
> enough.
> 

For the time being, I created two nsswitch.conf files (one with ldap
support, the other without). The main network interface now contains an
up and down rule which copies the "correct" nsswitch.conf file to /etc/,
depending on the network state.
Maybe this workaround could be documented in README.Debian.

Cheers,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 17:06:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:48:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.