/etc/ldap.conf (CentOS/RHEL) and /etc/libnss-ldap.conf (Debian) has an interesting line:
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# bind_policy hard
By default (when commented out) it is set to hard. This means that LDAP queries would wait & retry a long period if LDAP server is down. soft means try once, and return even if failed.
Then yet again we get the chicken & egg problem.
Long story short: on an LDAP-client+server machine, services that start before LDAP would simply freeze for a long period, if they resolve user/group names. On CentOS it happens with the dbus service. (Even if user/group are set locally on passwd/group, an LDAP query would be triggered to find additional group membership).
By the way, on Debian "hard" policy differs from CentOS's "hard" policy. Debian waits a few seconds while CentOS waits about 2 minutes. The "how long should I wait" params are set in the code (ldap-nss.h), and can't be tuned from the config file.
So as a workaround I've set "bind_policy soft" on my LDAP server+client; but I believe that a better solution should be done. Either:
- Default should be soft (just like DNS default)
- CentOS timeout should be lower, like Debian
- Timeouts should be tuneable through the config file
First two bullets are probably "management decisions", but I'll add the 3rd bullet to my TODO 🙂