Bug 664609 - local files not searched for netgroups if ldap server is unavailable
local files not searched for netgroups if ldap server is unavailable
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.5
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Ondrej Moriš
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 18:10 EST by Jeff Bastian
Modified: 2011-07-21 04:08 EDT (History)
4 users (show)

See Also:
Fixed In Version: nss_ldap-253-40.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 04:08:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 430 None None None Never

  None (edit)
Description Jeff Bastian 2010-12-20 18:10:45 EST
Description of problem:
If the LDAP server is down, the system should search local files for netgroups given the nsswitch.conf entry
    netgroup: ldap files

However, instead of searching the local /etc/netgroup file, it just returns an empty netgroup after a 2 minute timeout.
    [root@host etc]# cat /etc/netgroup 
    testgrp (-,test,-) (foo,,domain.com)

    [root@host etc]# time getent netgroup testgrp
    testgrp

    real    2m4.030s
    user    0m0.006s
    sys     0m0.007s

If I add SUCCESS=continue to nsswitch.conf, then it works:
    [root@host etc]# grep ^netgroup /etc/nsswitch.conf
    netgroup:   ldap [SUCCESS=continue] files

    [root@host etc]# time getent netgroup testgrp
    testgrp               (-, test, -) (foo, , domain.com)

    real    2m4.032s
    user    0m0.004s
    sys     0m0.008s

It appears that nss_ldap is returning NSS_SUCCESS for netgroups when the LDAP server is not reachable.  Shouldn't it be returning NSS_UNAVAIL instead?


Version-Release number of selected component (if applicable):
nss_ldap-253-25.el5

How reproducible:
every time

Steps to Reproduce:
1. Edit /etc/ldap.conf and point it at any system that's NOT running an LDAP server:
    uri ldap://not-an-ldap-server.example.com/
2. Edit /etc/nsswitch.conf and tell it to look at ldap first, then files, for netgroup:
    netgroup:   ldap files
3. Define a netgroup in /etc/netgroup
    testgrp (-,test,-) (foo,,domain.com)
4. Run getent on the netgroup:
    getent netgroup testgrp
  
Actual results:
An empty netgroup:
    # getent netgroup testgrp
    testgrp

Expected results:
The netgroup as defined in /etc/netgroup
    # getent netgroup testgrp
    testgrp               (-, test, -) (foo, , domain.com)
Comment 4 errata-xmlrpc 2011-07-21 04:08:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1030.html

Note You need to log in before you can comment on or make changes to this bug.