Recently I was setting up a RedHat 5 machine that uses ldap for authentication, but it's network connection was down. It's /etc/nsswitch.conf file told it to check it's files (local) first for user information and then check ldap if that failed. Trying to login as (a local user) root failed with a 30 sec pause and reset back to the login prompt. It was fairly obvious to see that there was a timeout issue somewhere. The system has been told by the /etc/nsswitch.conf file to check local users first (root) but it still times out! How frustrating!
After a little googling I found another tormented soul with the same problem. Sure enough it was a timeout issue with ldap. That does not explain why it still passes over the "files" setting and right to ldap but sure enough the following settings allowed me to login as root after putting them in my /etc/ldap.conf file. Much thanks to backdrift.org for this.
# try bumping these lower if need be timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_reconnect_tries 3 # no. of times to double the sleep time nss_reconnect_sleeptime 4 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping # This leads to a delay of 28 seconds (4+8+16=28) # per lookup if the server is not available.
The above are my settings. I had to bump the settings lower from the website example to get them to work. To check if this is your problem you can set all the values to 1.
There seem to be some bugs logged with RedHat on this issue. Tweaking the timings help get around it.
The next issue with ldap was when there was no network on start up the dbus daemon would hang the boot process indefinitely. To get around this you have to do an "Interactive boot" which entails pressing Shift-i when the processes start to boot. It will tell you on the menu when to do it during start up.
Anyway, this is a pain if you want to boot without network. So I found another bug logged with RedHat that has some work arounds. The workaround that worked for me is the following ldap.conf setting.
nss_initgroups_ignoreusers root,bin,daemon,adm,lp,sync,shutdown,halt,mail,uucp,operator,games,gopher,ftp,nobody,dbus,oprofile,vcsa,avahi-autoipd,ntp,qemu,polkituser,rpc,rpcuser,nfsnobody,rtkit,distcache,nscd,tcpdump,avahi,apache,mailnull,smmsp,openvpn,named,smolt,webalizer,nm-openconnect,postgres,sshd,postfix,dovecot,torrent,pulse,haldaemon,mysql,hsqldb,jetty,exim,squid,backuppc,news,gdm,tomca
This setting worked for me but it is a static fix and if another group is added to the system it might cause the hang again. There where some other suggested fixes in the thread like moving the start up of ldap earlier in the boot order. Feel free to read the thread.
The explanation for this issue is that nsswitch unfortunately assumes that a user can be a member of groups in other databases.
