[Bug 652433] Re: Init script dependency error: krb5-kdc starts before slapd

[Russ Allbery]

Thomas Schweikle <652433 at bugs.launchpad.net> writes:

> LDAP ist robust against kerberos not running at the moment slapd
starts.

I'm not sure that this is the case for an LDAP replica that uses GSS-API
to authenticate to the master, since I believe the very first thing that
slapd does is attempt the authentication to the master.

If this is not the case, or if slapd handles this cleanly (by sleeping and
retrying until it can get a connection without any other negative
consequences), then it's indeed robust here and slapd can start first.
But someone should verify that rather than assuming, since I know we've
had trouble with it in the past.

> Kerberos can't be robust about that. No way. If it stores data in LDAP
> it has to have access to the server.

It can.  All it has to do is sleep if it can't open an LDAP connection for
a few seconds and then try again.

There's a tradeoff, of course, in that you lose error reporting from the
init script if it currently attempts to open the LDAP connection before
backgrounding itself.  I'm not sure if that's the case or not.  If it
already doesn't open the LDAP connection until after it's backgrounded,
you lose nothing by adding some pauses and repeated attempts to contact
the LDAP server.

Ideally, they should both be robust against the other not being up yet.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
https://bugs.launchpad.net/bugs/652433

Title:
  Init script dependency error: krb5-kdc starts before slapd