LDAP default "bind=hard" policy is problematic

/etc/ldap.conf (CentOS/RHEL) and /etc/libnss-ldap.conf (Debian) has an interesting line:

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
# bind_policy hard

By default (when commented out) it is set to hard. This means that LDAP queries would wait & retry a long period if LDAP server is down. soft means try once, and return even if failed.

Then yet again we get the chicken & egg problem.

Long story short: on an LDAP-client+server machine, services that start before LDAP would simply freeze for a long period, if they resolve user/group names. On CentOS it happens with the dbus service. (Even if user/group are set locally on passwd/group, an LDAP query would be triggered to find additional group membership).

By the way, on Debian "hard" policy differs from CentOS's "hard" policy. Debian waits a few seconds while CentOS waits about 2 minutes. The "how long should I wait" params are set in the code (ldap-nss.h), and can't be tuned from the config file.

So as a workaround I've set "bind_policy soft" on my LDAP server+client; but I believe that a better solution should be done. Either:

  • Default should be soft (just like DNS default)
  • CentOS timeout should be lower, like Debian
  • Timeouts should be tuneable through the config file

First two bullets are probably "management decisions", but I'll add the 3rd bullet to my TODO 🙂

2 thoughts on “LDAP default "bind=hard" policy is problematic

  1. Calum

    Amen. I don't want stuff hanging for 5 minutes while the machine is booting before it decides the LDAP server is really down/unavailable.

    I use:

    timelimit 5
    bind_timelimit 5
    bind_policy soft

  2. Pingback: linux-blog - Fa. anracon - Dr. Mönchmeyer » Blog Archive » Opensuse 12.1 - LDAP III

Leave a Reply

Your email address will not be published. Required fields are marked *