[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Init with user db in local LDAP (slapd): On service dependencies

On Fri, Mar 29, 2002 at 07:15:20PM +0100, Thorild Selen wrote:
> When exactly are accounts supposed to exist?

> Assume that some accounts in a system are handled by a daemon, and
> that this daemon therefore must be running before you can refer to
> these accounts by name. Clearly, having other init scripts that assume
> that certain accounts are available, or start other programs/daemons
> that do, will have problems if the aforementioned daemon isn't running
> yet when they are called.

> A concrete example:

> The symlink /etc/rc2.d/S20slapd will cause slapd to be started. Some
> system accounts and virtually all user accounts are handled by slapd.
> However, many other services are also started by /etc/rc2.d/S20*, and
> most of these will be started before slapd because they come before
> slapd in alphabetical order. One simple solution to this would be to
> keep all system accounts in /etc/passwd, so if I do, I lose, right?
> But otherwise it should be acceptable to keep accounts in a database
> handled by a local slapd, right?

> Unfortunately not. /etc/rcS.d/S85nethack is run before slapd is
> started, and this init script has to be able to look up user accounts.
> This is one example; there might be more that include more critical
> services/applications than nethack, so this matter shouldn't be taken
> lightly just because nethack made me stumble onto this problem.

> How early are user accounts supposed to exist? What about system
> accounts? Is this problem a bug in the nethack package, or in slapd,
> or in another package? If not, is an administrator actually expected
> to reorder installation scripts whenever this kind of dependency
> occurs?

> There is a problem here. However, I don't know whether I should file a
> bug against some package, and in that case, against which package. I'm
> beginning to doubt that the sysvinit way of keeping track of
> dependencies between services (by just assigning an integer that
> doesn't even have to be unique to each service) was ever a good
> idea. Somebody please enlighten me!

Fundamentally, the problem here is that slapd ought to be started at 
different times, depending on how it's used by the system.  If it's just 
a directory server for the network, then we probably don't care about 
starting it until the network is up.  If you're using it with nss_ldap 
to provide usernames for the local system, then we want it to start 
early -- possibly as an rcS.d script, rather than a per-runlevel script.  
And there's no good way for the package to know which way things should 
be set up, so it's up to the admin to configure the init scripts however 
is best for the local system.  This would still be the case whether or 
not we switched to something other than sysvinit.

Incidentally, I do think it's usually best to store all system accounts 
in a local database (such as /etc/passwd), rather than in a network 
database (and I don't consider LDAP 'local' storage here, regardless of 
whether it's running on localhost).

Steve Langasek
postmodern programmer

Attachment: pgpTQiIqa2RJ6.pgp
Description: PGP signature

Reply to: