Comment 9 for bug 652433
Revision history for this message
| Russ Allbery (rra-debian) wrote Re: [Bug 652433] Re: Init script dependency error: krb5-kdc starts before slapd | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Thomas Schweikle <email address hidden> writes:
> LDAP ist robust against kerberos not running at the moment slapd starts.
I'm not sure that this is the case for an LDAP replica that uses GSS-API
to authenticate to the master, since I believe the very first thing that
slapd does is attempt the authentication to the master.
If this is not the case, or if slapd handles this cleanly (by sleeping and
retrying until it can get a connection without any other negative
consequences), then it's indeed robust here and slapd can start first.
But someone should verify that rather than assuming, since I know we've
had trouble with it in the past.
> Kerberos can't be robust about that. No way. If it stores data in LDAP
> it has to have access to the server.
It can. All it has to do is sleep if it can't open an LDAP connection for
a few seconds and then try again.
There's a tradeoff, of course, in that you lose error reporting from the
init script if it currently attempts to open the LDAP connection before
backgrounding itself. I'm not sure if that's the case or not. If it
already doesn't open the LDAP connection until after it's backgrounded,
you lose nothing by adding some pauses and repeated attempts to contact
the LDAP server.
Ideally, they should both be robust against the other not being up yet.
--
Russ Allbery (<email address hidden>) <http://