Lutz J?nicke:
> > For example, with the default nsswitch.conf action of "unavail=continue",
> > the library will continue with the next source, instead of reporting
> > the error condition immediately. There may be similar features with sssd.
>
> It seems that nsswitch.conf may be the reason for the effect. It indeed
> reads
> passwd: compat ldap
> group: ...
> and therefore should with "unavail=continue" would lead to failure as
> experienced.
> As all other lookups are implemented directly in postfix via ldap: maps.
> If I understand nsswitch.conf correctly, unavail=return would not make a
> difference here.
I would not know. I am just disappointed that someone broke
getpwnam_r() error reporting.
> We rather would have to modify local_recipient_maps to start with
> an LDAP lookup to fail "safe" if LDAP is not available, don't we?
Switching local_recipient_maps to direct LDAP lookups would reduce
the failure time window to a fraction of a second (if the LDAP
server crashes after successful local_recipient_maps lookup with
direct LDAP, the getpwnam_r() call would still falsely report "not
found", but the odds of an LDAP server crash in that fraction of a
second would be really small).
Wietse
