Date: Fri, 28 Apr 2006 14:14:00 +0200 From: Pierre-Francois LAURAND <francois.laurand@univ-tours.fr> To: Joerg Pulz <Joerg.Pulz@frm2.tum.de> Cc: freebsd-ports@freebsd.org Subject: Re: slapd starting too late... Message-ID: <44520708.40102@univ-tours.fr> In-Reply-To: <20060428122657.U52948@hades.admin.frm2> References: <4451ECF7.30506@univ-tours.fr> <20060428122657.U52948@hades.admin.frm2>
next in thread | previous in thread | raw e-mail | index | archive | help
Joerg Pulz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Fri, 28 Apr 2006, Pierre-Francois LAURAND wrote:
>
>> Hi,
>>
>> We are using OpenLDAP as an authentification backend on a FreeBSD
>> 6.1-RC system.
>> OpenLDAP port ( net/openldap23-server ) has been installed with the
>> RCORDER option activated, so /etc/rc.d/slapd is available instead of
>> ${PREFIX}/etc/rc.d/slapd.sh.
>>
>> When the system is starting, slapd comes up too late, after many
>> others daemons that require to retrieve user informations :
>> nfsd/mountd ( when /etc/exports contains options like
>> -mapall=someuser,-maproot=someone... ), named ( when launched with -u
>> ), dhcpd, mysql, httpd.... All these daemon require an unprivilegied
>> user ( not in ldap, but in /etc/master.passwd ) to run, but during the
>> boot process, these daemons are waiting for slapd in an endless loop.
>> /var/log/message and /var/log/all.log only show messages like :
>>
>> nss_ldap: failed to bind to LDAP server
>> ldapi://%2fvar%2frun%2fopenldap%2fldapi/: Internal (implement
>> ation specific) error
>>
>> In my case, slapd should be launched very early, before others daemons
>> that use getpw* systems calls.
>>
>> /etc/nsswitch.conf contains :
>> group: files [success=return notfound=continue] ldap
>> [success=return notfound=return unavail=return]
>> passwd: files [success=return notfound=continue] ldap
>> [success=return notfound=return unavail=return]
>> hosts: files dns
>> networks: files
>> shells: files
>>
>> So, could you help me finding how can I tell slapd to start earlier
>> during the rc boot stage ? I'm think that I will have to play with the
>> rcorder options...
>
> Hi,
>
> i had the same problems here. I added "named" to the BEFORE line in the
> rcNG script that it looks like this:
> # BEFORE: securelevel named
>
Thank for your reply, Joerg.
This hack should work if slapd does not need to resolv anything, but if
you are using replicas and/org syncrepl, it may cause problems with
hosts whose names have to be resolved.
I'm quiete disappointed with nsswitch.conf because the status/option
passwd: files ... ldap [success=return notfound=return unavail=return]
should return a valid entry when the system boot and daemons are
fetching their running user in the master.passwd backend.
> Note:
> You should add "ldconfig" to the REQUIRE line in the SERVERS rcNG script
> so that it looks like this:
> # REQUIRE: mountcritremote abi ldconfig
> This only applies if your system is NOT CURRENT after Wed Apr 19
> 05:10:34 2006 UTC.
> I hope that this will get MFCd soon to have it in the RELENG_* versions
> too.
> Why do you need this? The answer is quite simple, without this, slapd is
> unable to find the BerkeleyDB libraries which are necessary for the
> bdb-backend.
>
> Additionally you could set "bind_policy soft" in
> ${LOCALBASE}/etc/nss_ldap.conf to let nss_ldap return in case of
> connection problems to slapd instead of waiting forever.
>
> Hope that helps
> Joerg
>
> - -- The beginning is the most important part of the work.
> -Plato
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (FreeBSD)
>
> iD8DBQFEUfENSPOsGF+KA+MRAt/3AKCsIpgUUIc6Cr+9mYyWZoipTykdbQCgofzB
> C13LJdApWAfugFONCrz4TDs=
> =/q9J
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
--
Pierre-Francois LAURAND
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44520708.40102>