Description of problem: If the LDAP server is down, the system should search local files for netgroups given the nsswitch.conf entry netgroup: ldap files However, instead of searching the local /etc/netgroup file, it just returns an empty netgroup after a 2 minute timeout. [root@host etc]# cat /etc/netgroup testgrp (-,test,-) (foo,,domain.com) [root@host etc]# time getent netgroup testgrp testgrp real 2m4.030s user 0m0.006s sys 0m0.007s If I add SUCCESS=continue to nsswitch.conf, then it works: [root@host etc]# grep ^netgroup /etc/nsswitch.conf netgroup: ldap [SUCCESS=continue] files [root@host etc]# time getent netgroup testgrp testgrp (-, test, -) (foo, , domain.com) real 2m4.032s user 0m0.004s sys 0m0.008s It appears that nss_ldap is returning NSS_SUCCESS for netgroups when the LDAP server is not reachable. Shouldn't it be returning NSS_UNAVAIL instead? Version-Release number of selected component (if applicable): nss_ldap-253-25.el5 How reproducible: every time Steps to Reproduce: 1. Edit /etc/ldap.conf and point it at any system that's NOT running an LDAP server: uri ldap://not-an-ldap-server.example.com/ 2. Edit /etc/nsswitch.conf and tell it to look at ldap first, then files, for netgroup: netgroup: ldap files 3. Define a netgroup in /etc/netgroup testgrp (-,test,-) (foo,,domain.com) 4. Run getent on the netgroup: getent netgroup testgrp Actual results: An empty netgroup: # getent netgroup testgrp testgrp Expected results: The netgroup as defined in /etc/netgroup # getent netgroup testgrp testgrp (-, test, -) (foo, , domain.com)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1030.html