From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031205 Description of problem: /bin/login is set to time out after 60 seconds of waiting. However, nss_ldap, when the following lines are set in /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap takes 140 seconds to return information about the root account if the LDAP server is unavailable. Therefore, login times out before nss_ldap can supply an answer, disabling root logins via the console if the LDAP server is down. For a server install, this is unacceptable. Also, the SRPM for util-linux is jacked in several horrible ways (spec file provides a bogus path to gtk-config, make doesn't create login binaries, etc.), otherwise I'd have submitted util-linux-2.12-19.srpm. Version-Release number of selected component (if applicable): util-linux-2.12-18 How reproducible: Always Steps to Reproduce: 1. Unplug network cable and boot system. 2. Try logging in. 3. Wait for quick flash of "Login timed out after 60 seconds" message. Actual Results: Reboot into single-user mode, set passwd, shadow and groups lines to just "files" and it works fine. Expected Results: root user can log into the console even when the system is offline. util-linux SRPM would at least build. Additional info:
In short, dropping the bind timeout in /etc/ldap.conf will work around this issue. Basically if you strace a login, you'll see it try to connect to each ldap server a number of times, depending on the amount of servers you have, drop this to a limit under 60 seconds.
Yea, I think you need to drop the timeout - there's really no way login can know about timeouts inside an nss module.
There is a better fix you should try at least. Find the source RPM, patch it to simply remove the line: rc = ldap_initialize (&__session.ls_conn, cfg->ldc_uri); from ldap-nss.c, line 1106. This should fix the problem. More information about this function can be found at: http://www.zmailer.org/mhalist/2003/msg00517.html David