Emmanuel Dreyfus wrote:
On Tue, Aug 12, 2008 at 11:17:13AM +0200, Buchan Milne wrote:
Anyway, I will point out that this issue is more or less an FAQ on the
nss_ldap list.
IMO, the problem is in slapd: it starts listening for requests while
it is not ready yet for answering requests.
If the listener was not ready when slapd would do its initgroups() call,
then NSS would not contact local slapd, it would fallback to other sources
(/etc/passwd and /etc/group), and everything would be fine.
Hm, I don't think that's true. slap_init_user() which does the initgroups()
call occurs before slapd starts listening on its sockets. While it has its
sockets bound to their respective ports, clients will get a "connection
refused" while the sockets are in this state. It only calls listen() long
after the startup initializations are done, and only then can it receive any
incoming requests.
What about a new slapd.conf option?
delayed_service {none|warm|syncrepl}
and slapd would...
... behave as it does now for "none"
... return LDAP_UNAVAILABLE until initialization is completed for "warm"
... return LDAP_UNAVAILABLE until syncrepl catch up with master for "syncrepl"
The later option would fix the stupid situation where your replica starts
and answer outdated stuff until syncrepl catch up.
We've discussed that possibility (delaying queries until syncrepl completes) a
few times on -devel in the past. I don't remember now why we didn't do it,
check the archives...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
