nslcd should have tomcat7 and tomcat8 in X-Start-Before

Bug #1605167 reported by John Cooper
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)

Bug Description

To make sure that ldap users are available to run services as on boot up the nslcd daemon has a X-Start-Before header in it's init file, /etc/init.d/nslcd.

This currently has various services included apache and email servers but does not have tomcat services.
Could tomcat7 and tomcat8 both be added to the header so that they also wait for nslcd?

The error in the logs currently is:

    start-stop-daemon: user 'xyz' not found

Revision history for this message
Arthur de Jong (adejong) wrote :

I would strongly recommend against putting system users (e.g. tomcat user) in LDAP. Especially it is difficult to this right during boot and shutdown. The default configuration of nss-pam-ldapd also filters uids < 1000 out of queries to avoid this.

The reason that some services are listed in nslcd's init script in X-Start-Before is that those services (can) use normal user accounts. For example if a mail server would be started before nslcd is available mail could be rejected.

Revision history for this message
John Cooper (choffee) wrote :

We run the tomcat process as an ldap user to give it access to NFS based storage.

Maybe there is a more logical way to specify this, could the tomcat services depend on remote storage that would be dependent on ldap users if installed?

Revision history for this message
Arthur de Jong (adejong) wrote :

If you are using NFS you probably already use the NFS id mapper which should take care of things if you are using the same user names across servers, even if the numeric ids differ.

I have managed some environments where some system users were in LDAP for legacy reasons. In that case I just copied the LDAP user to /etc/passwd also.

If you can confirm that adding tomcat7 and tomcat8 to X-Start-Before solves your problem I can add it but it is becoming a very log list.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.