Bug 664609 - local files not searched for netgroups if ldap server is unavailable
local files not searched for netgroups if ldap server is unavailable
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Ondrej Moriš
Depends On:
  Show dependency treegraph
Reported: 2010-12-20 18:10 EST by Jeff Bastian
Modified: 2011-07-21 04:08 EDT (History)
4 users (show)

See Also:
Fixed In Version: nss_ldap-253-40.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-07-21 04:08:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 430 None None None Never

  None (edit)
Description Jeff Bastian 2010-12-20 18:10:45 EST
Description of problem:
If the LDAP server is down, the system should search local files for netgroups given the nsswitch.conf entry
    netgroup: ldap files

However, instead of searching the local /etc/netgroup file, it just returns an empty netgroup after a 2 minute timeout.
    [root@host etc]# cat /etc/netgroup 
    testgrp (-,test,-) (foo,,domain.com)

    [root@host etc]# time getent netgroup testgrp

    real    2m4.030s
    user    0m0.006s
    sys     0m0.007s

If I add SUCCESS=continue to nsswitch.conf, then it works:
    [root@host etc]# grep ^netgroup /etc/nsswitch.conf
    netgroup:   ldap [SUCCESS=continue] files

    [root@host etc]# time getent netgroup testgrp
    testgrp               (-, test, -) (foo, , domain.com)

    real    2m4.032s
    user    0m0.004s
    sys     0m0.008s

It appears that nss_ldap is returning NSS_SUCCESS for netgroups when the LDAP server is not reachable.  Shouldn't it be returning NSS_UNAVAIL instead?

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. Edit /etc/ldap.conf and point it at any system that's NOT running an LDAP server:
    uri ldap://not-an-ldap-server.example.com/
2. Edit /etc/nsswitch.conf and tell it to look at ldap first, then files, for netgroup:
    netgroup:   ldap files
3. Define a netgroup in /etc/netgroup
    testgrp (-,test,-) (foo,,domain.com)
4. Run getent on the netgroup:
    getent netgroup testgrp
Actual results:
An empty netgroup:
    # getent netgroup testgrp

Expected results:
The netgroup as defined in /etc/netgroup
    # getent netgroup testgrp
    testgrp               (-, test, -) (foo, , domain.com)
Comment 4 errata-xmlrpc 2011-07-21 04:08:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.