Date: Fri, 28 Apr 2006 14:14:00 +0200 From: Pierre-Francois LAURAND <francois.laurand@univ-tours.fr> To: Joerg Pulz <Joerg.Pulz@frm2.tum.de> Cc: freebsd-ports@freebsd.org Subject: Re: slapd starting too late... Message-ID: <44520708.40102@univ-tours.fr> In-Reply-To: <20060428122657.U52948@hades.admin.frm2> References: <4451ECF7.30506@univ-tours.fr> <20060428122657.U52948@hades.admin.frm2>
next in thread | previous in thread | raw e-mail | index | archive | help
Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Fri, 28 Apr 2006, Pierre-Francois LAURAND wrote: > >> Hi, >> >> We are using OpenLDAP as an authentification backend on a FreeBSD >> 6.1-RC system. >> OpenLDAP port ( net/openldap23-server ) has been installed with the >> RCORDER option activated, so /etc/rc.d/slapd is available instead of >> ${PREFIX}/etc/rc.d/slapd.sh. >> >> When the system is starting, slapd comes up too late, after many >> others daemons that require to retrieve user informations : >> nfsd/mountd ( when /etc/exports contains options like >> -mapall=someuser,-maproot=someone... ), named ( when launched with -u >> ), dhcpd, mysql, httpd.... All these daemon require an unprivilegied >> user ( not in ldap, but in /etc/master.passwd ) to run, but during the >> boot process, these daemons are waiting for slapd in an endless loop. >> /var/log/message and /var/log/all.log only show messages like : >> >> nss_ldap: failed to bind to LDAP server >> ldapi://%2fvar%2frun%2fopenldap%2fldapi/: Internal (implement >> ation specific) error >> >> In my case, slapd should be launched very early, before others daemons >> that use getpw* systems calls. >> >> /etc/nsswitch.conf contains : >> group: files [success=return notfound=continue] ldap >> [success=return notfound=return unavail=return] >> passwd: files [success=return notfound=continue] ldap >> [success=return notfound=return unavail=return] >> hosts: files dns >> networks: files >> shells: files >> >> So, could you help me finding how can I tell slapd to start earlier >> during the rc boot stage ? I'm think that I will have to play with the >> rcorder options... > > Hi, > > i had the same problems here. I added "named" to the BEFORE line in the > rcNG script that it looks like this: > # BEFORE: securelevel named > Thank for your reply, Joerg. This hack should work if slapd does not need to resolv anything, but if you are using replicas and/org syncrepl, it may cause problems with hosts whose names have to be resolved. I'm quiete disappointed with nsswitch.conf because the status/option passwd: files ... ldap [success=return notfound=return unavail=return] should return a valid entry when the system boot and daemons are fetching their running user in the master.passwd backend. > Note: > You should add "ldconfig" to the REQUIRE line in the SERVERS rcNG script > so that it looks like this: > # REQUIRE: mountcritremote abi ldconfig > This only applies if your system is NOT CURRENT after Wed Apr 19 > 05:10:34 2006 UTC. > I hope that this will get MFCd soon to have it in the RELENG_* versions > too. > Why do you need this? The answer is quite simple, without this, slapd is > unable to find the BerkeleyDB libraries which are necessary for the > bdb-backend. > > Additionally you could set "bind_policy soft" in > ${LOCALBASE}/etc/nss_ldap.conf to let nss_ldap return in case of > connection problems to slapd instead of waiting forever. > > Hope that helps > Joerg > > - -- The beginning is the most important part of the work. > -Plato > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (FreeBSD) > > iD8DBQFEUfENSPOsGF+KA+MRAt/3AKCsIpgUUIc6Cr+9mYyWZoipTykdbQCgofzB > C13LJdApWAfugFONCrz4TDs= > =/q9J > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" -- Pierre-Francois LAURAND
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44520708.40102>