Fedora with LDAP Authentication Stuck Booting

On a Fedora server (in this case 14, 15, and 16) acting as the primary LDAP server, it can get stuck booting if LDAP is not ready in time. You end up with a race condition where LDAP is stuck attempting to start for one reason or another and other services are stuck waiting for LDAP. Typically, this is because PAM, either via the nss_ldap or pam_ldap modules, is attempting to look up a user to start a particular server and it is configured to also look in LDAP.

There are two ways to fix this:
1. Maintain /etc/pam_ldap.conf and /etc/nss_ldap.conf’s “nss_initgroups_ignoreusers” line to contain all of your various services, or
2. Modify /etc/pam_ldap.conf and /etc/nss_ldap.conf to have “bind_policy soft” enabled.

The “bind_policy soft” is synonymous to a “soft” mount in /etc/fstab: it will cause a soft “fail” of the lookup allowing the process to proceed rather than hang on trying to get a response. This policy is a bit easier to manage and safer since it won’t put the administrator in a position where there is a deadlock.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.