On Sun, 4 Jan 2009, root wrote:
Package: libnss-ldap
Version: 261-2.1
Severity: critical
Justification: breaks the whole system
You very likely are simply misconfigured, but I'll not yet drop
the severity to a more apropriate value.
The ldap entry on nsswitch.conf for ldap authentication like:
passwd: compat ldap
Why compat ... if you aren't using NIS/NIS+, that should be 'files ldap'
group: compat ldap
shadow: compat ldap
cause the whole system hang. The system loaded til gdm, but I just got an X
mouse pointer. The system doesn't response any keyboard command, so that I
can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal
with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because
the system is hanging.
There should be informatitve messages in /var/log/auth.log, and possibly
/var/log/syslog... I can't be of much use without seeing some of them.
If I remove the ldap entry on nsswitch.conf, the system works normally.
1) boot up without LDAP auth
2) add ldap to nsswitch.conf
3) getent passwd <some valid user in ldap>
4) tweak /etc/libnss-ldap.conf until 3 works
Once that all is working, the next cause of hang is based upon
installed package set - and their daemon user entries in /etc/passwd.
You will need to add and tweak the following line in libnss-ldap.conf:
nss_initgroups_ignoreusers root,openldap,....
IE: if gdm hangs, and there is a system userid for the gdm daemon, add
its name to the ignoreusers line.
Why isn't the line already there and correct ?
It would require going through the entire archive and scanning init.d
files for anything that might possibly start before nscd (if installed),
or the local slapd daemon (if installed) and adding those daemon users
to the line... That is necessary, but not sufficient in that the
sysadmin may change start order :(
I'd actually recommend you do what I have done - install libnss-ldapd
instead.
--
Rick Nelson
Intel engineering seem to have misheard Intel marketing strategy. The phrase
was "Divide and conquer" not "Divide and cock up"
(By iia...@www.linux.org.uk, Alan Cox)
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
