Description of problem: Our customer reported that since updating to 4.6 the ldap service cannot be started. Our investigation showed that /sbin/runuser caused the problem. Version-Release number of selected component (if applicable): How reproducible: Always, when the ldap server is on localhost. Steps to Reproduce: 1. Create LDAP environment 2. Authenticate against ldap 3. Restart ldap service Actual results: Mar 6 10:07:59 XXX runuser: nss_ldap: failed to bind to LDAP server 127.0.0.1: Can't contact LDAP server Mar 6 10:07:59 XXX runuser: nss_ldap: reconnecting to LDAP server... Expected results: A working ldap service. Additional info: It seems that runuser ignores authentication settings and tries to find ldap user in ldap, regardless they are local users. Our solution was putting ldap and root users into the ldap.conf: nss_initgroups_ignoreusers root,ldap
This is not the issue with runuser - works as expected. Changing component to nss_ldap as possible source of problems.
Easiest workaround: echo "bind_policy soft" >> /etc/ldap.conf If you have multiple servers listed in uri or host, this may not necessarily do exactly what you want if the first server fails, in that case, look at the nss_reconnect_tries,nss_reconnect_sleeptime,nss_reconnect_maxsleeptiome,nss_reconnect_maxconntries options.
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.