Ubuntu
libnss-ldap package

Bug #155947
Comment #72

Comment 72 for bug 155947

Revision history for this message

Hilton Gibson (hgibson) wrote on 2008-04-10: Re: [Bug 155947] Re: ldap config causes Ubuntu to hang at a reboot

#72

unnamed Edit (2.6 KiB, text/html; charset=ISO-8859-1)
common-account Edit (423 bytes, application/octet-stream; name=common-account)
common-auth Edit (480 bytes, application/octet-stream; name=common-auth)
common-password Edit (1.1 KiB, application/octet-stream; name=common-password)
common-session Edit (406 bytes, application/octet-stream; name=common-session)
pam_ldap.conf Edit (6.9 KiB, application/octet-stream; name=pam_ldap.conf)
libnss-ldap.conf Edit (9.0 KiB, application/octet-stream; name=libnss-ldap.conf)

Good criteria. But please also consider the PAM rules for logins. Some allow
a graceful fall thru to pam_unix.so as a backup. This should be a default no
matter what other auth system is used. There are many other pam auth
systems, eg: fingerprint, usb key etc... LDAP is only one of many. So when
configuring lib-auth-client take very careful note of the PAM config files
and the order of the auth mechanism's.

On Thu, Apr 10, 2008 at 12:01 AM, Dustin Kirkland <email address hidden>
wrote:

> Okay, snapshot of conclusions at this point...
>
> (1) Any systems Feisty (and earlier) upgraded to Hardy (and later) would
> require a manual migration of /etc/libnss-ldap.conf and /etc/pam-
> ldap.conf if either or both of those files exist.
>
> (2) None of the 5+ Ubuntu developers who have looked at this bug has
> successfully reproduced the "boot hang" aspect of this bug. A boot hang
> involves a system which is not responsive to a network ping, not responsive
> to banging keys, and toggling caps-lock/num-lock does not affect the
> associated LEDs. (That's a crude definition, of course, but some decent
> guidelines.) ANYONE who is able to reproduce such a boot hang, please
> respond and attach (a cleansed copy) of:
> * /var/log/syslog (as retrieved from a subsequent rescue boot)
> * /etc/ldap.conf
> * /etc/nsswitch.conf
> * /etc/libnss-ldap.conf
> * /etc/pam-ldap.conf
>
> (3) We have been able to reproduce a "hang on login". I'd argue that
> this is a "functions as designed" scenario. If you require an LDAP
> server to login, and it's not available, logins should not succeed until
> the target LDAP server becomes available. In the case where you want to
> relax that requirement, a system can be configured to use a soft bind
> policy.
>
> :-Dustin
>
> ** Changed in: libnss-ldap (Ubuntu)
> Status: Confirmed => Incomplete
>
> --
> ldap config causes Ubuntu to hang at a reboot
> https://bugs.launchpad.net/bugs/155947
> You received this bug notification because you are a member of Ubuntu
> Directory Services, which is subscribed to libnss-ldap in ubuntu.
>

On Thu, Apr 10, 2008 at 12:01 AM, Dustin Kirkland <kirkland@canonical.com>
wrote:

> Okay, snapshot of conclusions at this point...
>
> (1) Any systems Feisty (and earlier) upgraded to Hardy (and later) would
> require a manual migration of /etc/libnss-ldap.conf and /etc/pam-
> ldap.conf if either or both of those files exist.
>
> (2) None of the 5+ Ubuntu developers who have looked at this bug has
> successfully reproduced the "boot hang" aspect of this bug.  A boot hang
> involves a system which is not responsive to a network ping, not responsive
> to banging keys, and toggling caps-lock/num-lock does not affect the
> associated LEDs.  (That's a crude definition, of course, but some decent
> guidelines.)  ANYONE who is able to reproduce such a boot hang, please
> respond and attach (a cleansed copy) of:
>  * /var/log/syslog (as retrieved from a subsequent rescue boot)
>  * /etc/ldap.conf
>  * /etc/nsswitch.conf
>  * /etc/libnss-ldap.conf
>  * /etc/pam-ldap.conf
>
> (3) We have been able to reproduce a "hang on login".  I'd argue that
> this is a "functions as designed" scenario.  If you require an LDAP
> server to login, and it's not available, logins should not succeed until
> the target LDAP server becomes available.  In the case where you want to
> relax that requirement, a system can be configured to use a soft bind
> policy.
>
> :-Dustin
>
> ** Changed in: libnss-ldap (Ubuntu)
>       Status: Confirmed => Incomplete
>
> --
> ldap config  causes Ubuntu to hang at a reboot
> https://bugs.launchpad.net/bugs/155947
> You received this bug notification because you are a member of Ubuntu
> Directory Services, which is subscribed to libnss-ldap in ubuntu.
>

Ubuntulibnss-ldap package

Comment 72 for bug 155947

Ubuntu
libnss-ldap package