nslcd should have tomcat7 and tomcat8 in X-Start-Before

Bug #1605167 reported by John Cooper on 2016-07-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Undecided
Unassigned

Bug Description

To make sure that ldap users are available to run services as on boot up the nslcd daemon has a X-Start-Before header in it's init file, /etc/init.d/nslcd.

This currently has various services included apache and email servers but does not have tomcat services.
Could tomcat7 and tomcat8 both be added to the header so that they also wait for nslcd?

The error in the logs currently is:

    start-stop-daemon: user 'xyz' not found

Arthur de Jong (adejong) wrote :

I would strongly recommend against putting system users (e.g. tomcat user) in LDAP. Especially it is difficult to this right during boot and shutdown. The default configuration of nss-pam-ldapd also filters uids < 1000 out of queries to avoid this.

The reason that some services are listed in nslcd's init script in X-Start-Before is that those services (can) use normal user accounts. For example if a mail server would be started before nslcd is available mail could be rejected.

John Cooper (choffee) wrote :

We run the tomcat process as an ldap user to give it access to NFS based storage.

Maybe there is a more logical way to specify this, could the tomcat services depend on remote storage that would be dependent on ldap users if installed?

Arthur de Jong (adejong) wrote :

If you are using NFS you probably already use the NFS id mapper which should take care of things if you are using the same user names across servers, even if the numeric ids differ.

I have managed some environments where some system users were in LDAP for legacy reasons. In that case I just copied the LDAP user to /etc/passwd also.

If you can confirm that adding tomcat7 and tomcat8 to X-Start-Before solves your problem I can add it but it is becoming a very log list.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers