Package: krb5-kdc-ldap Version: 1.6.dfsg.4~beta1-5lenny4 Followup-For: Bug #603822
Hello, It's been reported that some krb5 services fail to start when/if an LDAP server is not running. The solution has been suggested to continue pooling for a connection, instead of just giving up. This is essential because of transient errors that could prevent a perfectly usable situation from functioning. One situation regarding LDAP using krb5 for auth needing to start AFTER krb5. May not have the perceived parameters. Firstly if LDAP failed to connect to krb5 it should retry to avoid being caught by transient errors. Secondly LDAP configured to use Kerberos might not even connect to krb5 until it had it's first auth request. In the ?rare? case where Kerberos is configured to use LDAP and LDAP is configured to use krb5 there must then be at least one user who can auth using another method. In a normal configuration I think it would be safe to assume that users CAN auth using krb5, however it's also vary likely that they MAY using some other form of auth. So to assume that an LDAP server configured to use krb5 for auth would be completely helpless sounds like an exaggeration. On the other hand Kerberos configured to use LDAP would be completely lost until such time as it could connect. This is a good reason that Krb5 should start after LDAP, however the order that these services start should be arbitrary. Here are the top reasons I can think of. 1. The network might be down or congested. 2. The servers might all be booting, like after a UPS failure or other outage. 3. The Admin might be working on the LDAP server just when the machine is booted. As transient errors like this are common no one network service should depend on another. There should always be a measure of retry. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages krb5-kdc-ldap depends on: ii krb5-kdc 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos key server (KDC) ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkadm55 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos administration runtim ii libkeyutils1 1.2-9 Linux Key Management Utilities (li ii libkrb53 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1+lenny2 OpenLDAP libraries krb5-kdc-ldap recommends no packages. krb5-kdc-ldap suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
