Tag Archives: ldap

LDAP default "bind=hard" policy is problematic

2 Replies

/etc/ldap.conf (CentOS/RHEL) and /etc/libnss-ldap.conf (Debian) has an interesting line:

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
# bind_policy hard

By default (when commented out) it is set to hard. This means that LDAP queries would wait & retry a long period if LDAP server is down. soft means try once, and return even if failed.

Then yet again we get the chicken & egg problem.

Long story short: on an LDAP-client+server machine, services that start before LDAP would simply freeze for a long period, if they resolve user/group names. On CentOS it happens with the dbus service. (Even if user/group are set locally on passwd/group, an LDAP query would be triggered to find additional group membership).

By the way, on Debian "hard" policy differs from CentOS's "hard" policy. Debian waits a few seconds while CentOS waits about 2 minutes. The "how long should I wait" params are set in the code (ldap-nss.h), and can't be tuned from the config file.

So as a workaround I've set "bind_policy soft" on my LDAP server+client; but I believe that a better solution should be done. Either:

  • Default should be soft (just like DNS default)
  • CentOS timeout should be lower, like Debian
  • Timeouts should be tuneable through the config file

First two bullets are probably "management decisions", but I'll add the 3rd bullet to my TODO 🙂