Ubuntu
ldap-auth-client package

bind_policy hard broken in ldap.conf in 17.10

Bug #1732735 reported by Reinhard
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ldap-auth-client (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

A scripted installation of an ldap-client WORKING in ubuntu 16.04 is broken in ubuntu 17.10.
In ldap.conf:
host ldap01 ldap02 (was working in 16.04)
has to be replaced with:
host 10.0.0.9 10.0.0.10

otherwise the system stays in an endless loop at boot up!

Change from hostname to ip has to be done with a rescue system.

Revision history for this message
Reinhard (reinhard-fink) wrote :
Revision history for this message
Reinhard (reinhard-fink) wrote :

Did more testing in Ubuntu 17.10:
in ldap.conf:

host 10.0.0.9 10.0.0.10 => IP is working

host ldap01 ldap02 => hostname is NOT working

host ldap01.app.tsn => FQHN is NOT working

and NOT working does not mean that just ldap is broken, it means pc stays in endless boot loop
:-(

Revision history for this message
Reinhard (reinhard-fink) wrote :

It looks like, that there is a problem, when the ldap-client searches with exponential backoff for the servers:

Following change seems to fix the problem, BUT a rational sounding has to be changed?

In /etc/ldap.conf:

default Reconnect policy:

    bind_policy hard

has to be changed to:

    bind_policy soft

then:

In /etc/ldap.conf: -> host ldap01 ldap02 works as expected, and PC without network-cable boots normal.

summary: - hostname lookup broken in ldap.conf
+ bind_policy hard broken in ldap.conf
affects: xorg (Ubuntu) → ldap-auth-client (Ubuntu)
Reinhard (reinhard-fink)
summary: - bind_policy hard broken in ldap.conf
+ bind_policy hard broken in ldap.conf in 17.10
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

What are you using for nss passwd/group mais in /etc/nsswitch.conf for ldap? nss_ldap? sssd?

How are the ldap01 and ldap02 hostnames resolved, via dns and domain search in resolv.conf? Or via /etc/hosts?

Do you have system users and groups in ldap as well?

Changed in ldap-auth-client (Ubuntu):
status: New → Incomplete
Revision history for this message
Reinhard (reinhard-fink) wrote :

@Andreas:
hallo Andreas, this is the changed part of my nsswitch.conf:
...
passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4
...

ldap01 & ldap02 should be resolved via dns and domain search in resolv.conf, so it is possible to move ldap-servers to different IPs. There are no additional entrances in /etc/hosts.

There is one admin-user "worker" and one standard-user "user" on the host, who should work even without any network. All other user come from an LDAP-Tree and have nfs-home-dir.

my servers are set up with scripts from:
https://github.com/edvapp/networkbox

and clients are set up & managed with scripts from:
https://github.com/edvapp/autoinstall/tree/master/laus/scriptsForClasses/APP1804
https://github.com/edvapp/autoinstall/blob/master/laus/scriptsForClasses/APP1804/410-createLDAPClient.sh

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for ldap-auth-client (Ubuntu) because there has been no activity for 60 days.]

Changed in ldap-auth-client (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.