libnss-ldap needs systemd service file.

Wed Oct 5 21:34:27 UTC 2016

It appears that SystemD does not allow for services to just be started 
when a shutdown target is reached or is in the process or being reached.

The libnss-ldap package contains a script that enumerates low-ranking 
usernames (from system users) and adds them to the 
nss_initgroups_ignoreusers option in /etc/ldap.conf.

This is to prevent the system from halting while booting up (freezing). 
Otherwise group lookups are sent over LDAP and can cause the system to 
hang.

I realize that current libnss-ldapd contains the option to provide 
ALLLOCAL as the value here so that the service itself (the daemon) 
enumerates those users for you at ever boot-up, although I haven't tried 
it. But I think there are reasons to be using the older libnss-ldap 
package, if you need it or want it. It could be a nice combination with 
nscd or unscd still, and does not require any newer functionality for 
that to function well, although it is unmaintained, I hear.

Or at least deprecated in favour of nslcd and its associated modules 
(libraries).

But the init script (/etc/init.d/libnss-ldap) is not executed at 
shutdown by systemd.

Seeing that a shutdown service seems not to be possible, this is then 
the only solution:

[Unit]
Description=Enumerate users in ldap.conf for preboot satefy

[Service]
ExecStart=/bin/true
ExecStop=/usr/sbin/nssldap-update-ignoreusers

[Install]
WantedBy=sysinit.target

The alternative to sysinit.target is e.g. "basic.target rescue.target" 
or "multi-user.target rescue.target". The service only starts so it can 
be shut down.

Alternatively the script /usr/sbin/update-rc.d would need to be fixed 
such that it supports an init file with no start levels.

Strangely the postinst script executes fine:

sudo update-rc.d libnss-ldap start . stop 20 0 1 6 .
update-rc.d: warning: start and stop actions are no longer supported; 
falling back to defaults

But the thing barks when you enable it and there are no start levels:

update-rc.d: error: libnss-ldap Default-Start contains no runlevels, 
aborting.

Which for some reason causes the remainder of 
/lib/systemd/systemd-sysv-install to fail and not execute and apparently 
determines that the service will obtain state "bad".

Therefore the solution can be obtained in multiple ways:

- ensure that /etc/init.d/libnss-ldap has at least one start runlevel
- fix updaterc.d to not bolt but just install the service anyway
- add your custom systemd service file, like above.

And that would require adding a file to the package 
(/lib/systemd/system/libnss-ldap.service) and a line to the postinst 
script (but it is automatically generated): if [ -e 
"/lib/systemd/system/libnss-ldap.service" ]; then systemctl enable 
libnss-ldap; fi

But for some reason on my Kubuntu system the file 
/etc/init.d/libnss-ldap masks the service file 
/lib/systemd/system/libnss-ldap.service for the enable call, and it 
calls the sysv enabler.

So pick your choice, I'd say.

If nothing else, run /usr/sbin/nssldap-update-ignoreusers in postinst.

Regards.