Red Hat Bugzilla – Bug 128246
login times out before nss_ldap has finished, disabling console login
Last modified: 2007-11-30 17:10:46 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031205
Description of problem:
/bin/login is set to time out after 60 seconds of waiting. However,
nss_ldap, when the following lines are set in /etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
takes 140 seconds to return information about the root account if the
LDAP server is unavailable. Therefore, login times out before
nss_ldap can supply an answer, disabling root logins via the console
if the LDAP server is down.
For a server install, this is unacceptable.
Also, the SRPM for util-linux is jacked in several horrible ways (spec
file provides a bogus path to gtk-config, make doesn't create login
binaries, etc.), otherwise I'd have submitted util-linux-2.12-19.srpm.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Unplug network cable and boot system.
2. Try logging in.
3. Wait for quick flash of "Login timed out after 60 seconds" message.
Actual Results: Reboot into single-user mode, set passwd, shadow and
groups lines to just "files" and it works fine.
Expected Results: root user can log into the console even when the
system is offline.
util-linux SRPM would at least build.
In short, dropping the bind timeout in /etc/ldap.conf will work around
Basically if you strace a login, you'll see it try to connect to each
ldap server a number of times, depending on the amount of servers you
have, drop this to a limit under 60 seconds.
Yea, I think you need to drop the timeout - there's really no way
login can know about timeouts inside an nss module.
There is a better fix you should try at least. Find the source RPM,
patch it to simply remove the line:
rc = ldap_initialize (&__session.ls_conn, cfg->ldc_uri);
from ldap-nss.c, line 1106. This should fix the problem.
More information about this function can be found at: