September 29, 2009


The nss-ldap module allows you to have your user information in a LDAP server. Within the module you can select some options on how to connect to the LDAP server:

  • hard, use an exponential back-off when connection, waiting up to 64 seconds before trying a different server.
  • soft, when the server is not responding give up immediately.

The problem is, both are insufficient…

With soft you don’t have any benefits for your backup LDAP server. With the hard policy you can failover to the second (or third) server, but when you boot the machine (and it does not have networking) you are stuck with the exponential back-off. This can mean that booting a server can take a couple of hours: every uid lookup will take 64 seconds.

So you need something else.

I decided to “fix” the source of libnss-ldap and add a new policy for connecting to LDAP servers: medium. With this policy you have the hard policy, but not the exponential back-off! IOW more like soft, but don’t give up at once. So booting should be fast and the failover mechanism should also still work.

For those interested see this patch for the code changes. As soon as my bugzilla account mail is in, I will put it in the padl.com bug tracker.