Derek Simkowiak wrote: > In my opinion this is an important bug. One of the major reasons for > using LDAP+nss is for high availability in corporate networks... and > this bug breaks that completely.
You are starting with a wrong assumption: using nss_ldap will not provide you with any type of high-availability. In fact, it may have the opposite effect, as authentication becomes dependent on the availability of network and LDAP directory service. That being said, the bug is not really one; it is more of an architectural shortcoming. And it is not specific to Ubuntu: any Unix (including pretty much every other Linux distributions) that implement NSS as stateless library is bound to have the same problem. NSS was written as an abstraction layer that assumed the database, traditionally file such as /etc/passwd, are always available and cheap to query. These assumptions break down when the database had to be queried over the network. There is no proper fix, outside of ripping off NSS entirely for something new (which is not practical, as you can guess). All you can do is to mitigate the problem. Tweaking the various limit in /etc/ldap.conf is useless; even very short timeouts do add up. nscd, which is buggy as hell anyway, will block the second it has to query the network database because it does not keep state in the first place. The only solution that can provide some relief is to have a daemon sit between the library and the network database to cache network queries and to keep state of the network database. And continue to return results without blocking when it is not, unlike nscd. Solaris had such a thing for quite some time, with good results. In Ubuntu, the libnss-ldapd and sssd package, and the nssov slapd overlay, provide just that. I have not experienced with any of them, so I cannot make an enlightened recommendation, but they all tries to address exactly the problem being discussed here. I suggest you investigate them, and reports bug you find along the way. -- Etienne Goyer Technical Account Manager - Canonical Ltd Ubuntu Certified Instructor - LPIC-3 ~= Ubuntu: Linux for Human Beings =~ -- Local login fails without LDAP server https://bugs.launchpad.net/bugs/253937 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs