Bug 139578

Summary: dhclient fails (with NetworkManager and LDAP authentication)
Product: [openSUSE] SUSE Linux 10.1 Reporter: Martin Vidner <mvidner>
Component: NetworkAssignee: Ralf Haferkamp <ralf>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: aj, jsuchome, juergen.mell, kukuk, ralf
Version: Alpha 4   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: messages
nsswitch.conf

Description Martin Vidner 2005-12-16 12:19:00 UTC 
When installing, leave the network setup to default (NetworkManager) and choose LDAP user authentication. Afterwards, you're left with only a link local IP address. Even root login does not work (probably a separate bug).

See attached /etc/nsswitch.conf and /var/log/messages: dhclient (and other daemons) tries to contact the LDAP server (!?) via nss_ldap. It naturally does not succeed and waits with exponential backoff. As can be seen at Dec 16 13:01:56, if NM is disabled it eventually gives up and proceeds to obtain an address, but if NM is running, NM gives up after 25 seconds (Dec 16 12:14:01).

One way would be to increase the timeout in NM but I think a better way is to fix either dhclient or our nsswitch.conf so that dhclient does not try to contact LDAP if the network is not up yet.

I wonder whether a similar thing happens with NIS...
Comment 1 Martin Vidner 2005-12-16 12:19:51 UTC 
Created attachment 61075 [details]
messages
Comment 2 Martin Vidner 2005-12-16 12:20:27 UTC 
Created attachment 61076 [details]
nsswitch.conf
Comment 3 Peter Poeml 2005-12-19 15:01:01 UTC 
Robert, you work on NetworkManager, don't you?
Could this depend on the configuration of dhclient?
And, what does dhclient look up which causes an ldap lookup?
Comment 4 Robert Love 2005-12-19 20:39:52 UTC 
NM, yes.  My dhclient mastery is minimal, though.

I don't know why it is contacting an LDAP server.  dhclient, even under NM, uses the default dhclient config file.
Comment 5 Peter Poeml 2005-12-21 11:20:22 UTC 
Looking at /var/log/messages, and noticing that all kinds of processes
trigger the ldap lookup, I don't think this is a problem of network
manager at all, unless it is the reason why the boot process proceeds
although it should wait for network first (?).

Ralf, what do you think about this bug?
Comment 6 Ralf Haferkamp 2005-12-22 08:30:56 UTC 
Might be a misconfiguration or a bug in the reconnection behaviour of nss_ldap. Could you attach the /etc/ldap.conf from that machine?
Comment 7 Martin Vidner 2005-12-22 10:50:26 UTC 
Not now, unfortunately (gorgon.suse.cz is offline). If you want to try yourself, the machine was a standard install with LDAP authentication selected in yast during the installation.
Comment 8 Ralf Haferkamp 2005-12-22 15:33:30 UTC 
I was able to reproduce it. This is a configuration problem I think. Since some versions nss_ldap support the bind_policy option which, if not present in /etc/ldap.conf defaults to "hard" (which means, if a connection attempt to the LDAP server fails nss_ldap retries to connect until it was successful). Earlier nss_ldap version behaved different AFAIK :(

Jiri could you change yast2-ldap-client to always add 
bind_policy soft
to /etc/ldap.conf?

We should also consider to add this to our default /etc/ldap.conf.
Comment 9 Ralf Haferkamp 2005-12-22 15:34:27 UTC 
*** Bug 135589 has been marked as a duplicate of this bug. ***
Comment 10 Jiří Suchomel 2006-01-02 07:05:02 UTC 
> We should also consider to add this to our default /etc/ldap.conf.

Isn't this the only correct solution? If I will do it from yast2-ldap-client, it will write "soft" value even if user want to leave his own "hard" one.
Comment 11 Jiří Suchomel 2006-01-02 15:44:06 UTC 
Actually, yes I think it should be included in the default /etc/ldap.conf.
Comment 12 Thorsten Kukuk 2006-01-06 11:39:08 UTC 
I added it, but be aware that this will not work in case of an update.
Comment 13 Jiří Suchomel 2006-01-06 13:32:34 UTC 
AFAIK update must be solved in the script of rpm package; I don't know of which one, but I would say pwdutils.
Comment 14 Thorsten Kukuk 2006-01-07 09:28:14 UTC 
I will not add a parser for ldap.conf to pwdutils.
Comment 15 Stanislav Visnovsky 2006-01-09 07:44:56 UTC 
Ralf, we need a different solution then.
Comment 16 Ralf Haferkamp 2006-01-17 15:00:17 UTC 
I am currently discussing some options with Luke Howard. In the worst case I'll add the option in the %post of nss_ldap.
Comment 17 Ralf Haferkamp 2006-01-19 16:15:07 UTC 
nss_ldap will now add "bind_policy soft" during package update if nothing differnt is present in ldap.conf.