Debian Bug report logs - #475626
libnss-ldapd: Change to start level of nslcd

version graph

Package: libnss-ldapd; Maintainer for libnss-ldapd is Arthur de Jong <adejong@debian.org>; Source for libnss-ldapd is src:nss-pam-ldapd.

Reported by: Alex Samad <alex@samad.com.au>

Date: Sat, 12 Apr 2008 02:06:01 UTC

Severity: normal

Tags: wontfix

Found in version nss-ldapd/0.6

Fixed in version 0.7.0

Done: Arthur de Jong <adejong@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#475626; Package libnss-ldapd. Full text and rfc822 format available.

Acknowledgement sent to Alex Samad <alex@samad.com.au>:
New Bug report received and forwarded. Copy sent to Arthur de Jong <adejong@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alex Samad <alex@samad.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libnss-ldapd: Change to start level of nslcd
Date: Sat, 12 Apr 2008 12:05:24 +1000
Package: libnss-ldapd
Version: 0.6
Severity: normal

Hi 

Currenlt nscld is set to start by default at level 20, which is the same
level as exim. exim coming first becuase of alphabet.  This mean for a
period of time no ldap users are valid with regards to exim. I have seen
bounced emails because of this.

I was going to suggest 19 but it seems like slapd starts there and I
would like to give slapd a chance to start before nscld starts because
by backup (alternative URI's) are on a different site

Alex


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (100, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss-ldapd depends on:
ii  debconf [debconf-2.0] 1.5.20             Debian configuration management sy
ii  libc6                 2.7-10             GNU C Library: Shared libraries
ii  libkrb53              1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.7-6.1          OpenLDAP libraries
ii  libsasl2-2            2.1.22.dfsg1-18    Cyrus SASL - authentication abstra

Versions of packages libnss-ldapd recommends:
ii  libpam-ldap                   184-3      Pluggable Authentication Module al
ii  nscd                          2.7-10     GNU C Library: Name Service Cache 

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#475626; Package libnss-ldapd. Full text and rfc822 format available.

Acknowledgement sent to 475626@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. Full text and rfc822 format available.

Message #10 received at 475626@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Alex Samad <alex@samad.com.au>, 475626@bugs.debian.org
Subject: Re: Bug#475626: libnss-ldapd: Change to start level of nslcd
Date: Sat, 19 Apr 2008 15:56:12 +0200
[Message part 1 (text/plain, inline)]
On Sat, 2008-04-12 at 12:05 +1000, Alex Samad wrote:
> Currenlt nscld is set to start by default at level 20, which is the same
> level as exim. exim coming first becuase of alphabet.  This mean for a
> period of time no ldap users are valid with regards to exim. I have seen
> bounced emails because of this.
> 
> I was going to suggest 19 but it seems like slapd starts there and I
> would like to give slapd a chance to start before nscld starts because
> by backup (alternative URI's) are on a different site

Starting nslcd before slapd can be done but is generally not a good idea
because it will slow down the boot process due to problems connecting to
the LDAP server. If nslcd knows that the LDAP server is down this could
also cause problems for subsequent lookups in a certain time period
until nslcd is aware that the LDAP server is available again.

This means that sequence 19 may cause problems and 20 currently causes
problems for exim.

I am in the process of rethinking/rewriting the reconnect logic in
nss-ldapd which could make it easier to start earlier.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#475626; Package libnss-ldapd. Full text and rfc822 format available.

Acknowledgement sent to Alex Samad <alex@samad.com.au>:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. Full text and rfc822 format available.

Message #15 received at 475626@bugs.debian.org (full text, mbox):

From: Alex Samad <alex@samad.com.au>
To: 475626@bugs.debian.org
Subject: Re: Bug#475626: libnss-ldapd: Change to start level of nslcd
Date: Sun, 20 Apr 2008 18:09:02 +1000
[Message part 1 (text/plain, inline)]
On Sat, Apr 19, 2008 at 03:56:12PM +0200, Arthur de Jong wrote:
> On Sat, 2008-04-12 at 12:05 +1000, Alex Samad wrote:
> > Currenlt nscld is set to start by default at level 20, which is the same
> > level as exim. exim coming first becuase of alphabet.  This mean for a
> > period of time no ldap users are valid with regards to exim. I have seen
> > bounced emails because of this.
> > 
> > I was going to suggest 19 but it seems like slapd starts there and I
> > would like to give slapd a chance to start before nscld starts because
> > by backup (alternative URI's) are on a different site
> 
> Starting nslcd before slapd can be done but is generally not a good idea
> because it will slow down the boot process due to problems connecting to
> the LDAP server. If nslcd knows that the LDAP server is down this could
> also cause problems for subsequent lookups in a certain time period
> until nslcd is aware that the LDAP server is available again.
> 
> This means that sequence 19 may cause problems and 20 currently causes
> problems for exim.

yep, I have moved slapd done to 18, 19 for nslcd.

> 
> I am in the process of rethinking/rewriting the reconnect logic in
> nss-ldapd which could make it easier to start earlier.
If i might suggest the ability to add a weight to each uri thus if would
be possible to priorities slapd servers

> 
> -- 
> -- arthur - adejong@debian.org - http://people.debian.org/~adejong --



-- 
Dave Mack:	"Your stupidity, Allen, is simply not up to par."
Allen Gwinn:	"Yours is."
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#475626; Package libnss-ldapd. Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 475626@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: debian-devel <debian-devel@lists.debian.org>
Cc: 475626@bugs.debian.org
Subject: nss-ldapd init script sequence number
Date: Mon, 28 Apr 2008 14:12:04 +0200
[Message part 1 (text/plain, inline)]
Hi, I maintain nss-ldapd, a replacement for nss_ldap which uses a local
daemon (nslcd) to proxy name lookup requests (passwd/group/hosts/etc)
to an LDAP server. I have received a bug report (#475626) that I would
welcome some input on.

The problem is that a lot of daemons are started at sequence 20
(/etc/rc2.d/S20...) an may want to do name lookups (e.g. exim is
mentioned in the bugreport). This means that nslcd should probably be
started before sequence 20. However, slapd is started at sequence 19
and it would be best to start nslcd after slapd. Currently nslcd is
started at sequence 20.

The problem with starting nslcd before slapd is that slapd does name
lookups during startup which slow down slapd startup by about 5 seconds
(because slapd is not ready to handle lookups yet) and leaves nslcd in a
state where it believes the LDAP server is unreachable and will only
retry after some timeout has expired. This could in turn cause failed
lookups for processes that do name lookups just after slapd has been
started.

So, what would the best solution for this problem?

- request slapd to be started at sequence 18 and start nslcd at
  sequence 19 when this has changed (haven't extensively checked if that
  would cause problems for slapd)
- add some magic to nslcd to do more retries during startup and handle
  this case especially
- something else??

This also brings up the problem with what to do with existing
installations. If I understand correctly changing the parameter to
update-rc.d will not change any existing symlinks so any changes that
are made now will only affect existing installations.

Feedback is very much appreciated (also other feedback related to
nss-ldapd). Thanks.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#475626; Package libnss-ldapd. Full text and rfc822 format available.

Acknowledgement sent to 475626@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. Full text and rfc822 format available.

Message #25 received at 475626@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Alex Samad <alex@samad.com.au>, 475626@bugs.debian.org
Subject: Re: Bug#475626: libnss-ldapd: Change to start level of nslcd
Date: Sat, 03 May 2008 17:05:35 +0200
[Message part 1 (text/plain, inline)]
tags 475626 + wontfix
thanks

On Sun, 2008-04-20 at 18:09 +1000, Alex Samad wrote:
> On Sat, Apr 19, 2008 at 03:56:12PM +0200, Arthur de Jong wrote:
> > Starting nslcd before slapd can be done but is generally not a good
> > idea because it will slow down the boot process due to problems
> > connecting to the LDAP server. If nslcd knows that the LDAP server
> > is down this could also cause problems for subsequent lookups in a
> > certain time period until nslcd is aware that the LDAP server is
> > available again.
> > 
> > This means that sequence 19 may cause problems and 20 currently
> > causes problems for exim.
>
> yep, I have moved slapd done to 18, 19 for nslcd.

I have requested [1] the slapd maintainers to run slapd at an earlier
sequence but changing the sequence will only work for new installations
and is considered as effort that will be fixed by dependency based
booting anyway.

So I'm flagging this bug as wontfix for now. So this leaves this up to
local administrators to configure (either lower slapd and nslcd or
increase exim and others).

Anyway, some changes have been made to do better dependency-based
booting [2].

[1] http://bugs.debian.org/478674
[2] http://bugs.debian.org/478807

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Tags added: wontfix Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Sat, 03 May 2008 15:18:11 GMT) Full text and rfc822 format available.

Blocking bugs of 475626 added: 478674 Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Sat, 10 May 2008 19:33:02 GMT) Full text and rfc822 format available.

Reply sent to 475626@bugs.debian.org:
You have taken responsibility. (Tue, 29 Dec 2009 13:54:15 GMT) Full text and rfc822 format available.

Notification sent to Alex Samad <alex@samad.com.au>:
Bug acknowledged by developer. (Tue, 29 Dec 2009 13:54:15 GMT) Full text and rfc822 format available.

Message #34 received at 475626-done@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 475626-done@bugs.debian.org, Alex Samad <alex@samad.com.au>
Subject: Re: Bug#475626: libnss-ldapd: Change to start level of nslcd
Date: Tue, 29 Dec 2009 14:51:35 +0100
[Message part 1 (text/plain, inline)]
Version: 0.7.0

On Sat, 2008-05-03 at 17:05 +0200, Arthur de Jong wrote:
> I have requested the slapd maintainers to run slapd at an earlier
> sequence but changing the sequence will only work for new
> installations and is considered as effort that will be fixed by
> dependency based booting anyway.

I am closing this bugreport because for squeeze Debian has switched to
dependency-based booting by default which fixes this problem.

If there is anything wrong with the dependencies feel free to open a new
bugreport.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jan 2010 07:29:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:16:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.