<Mic92>
If your ldap is flaky but your local dhcp is fine, this fix won't help you.
<aanderse>
the load balancer folks fixed that a few months ago, n omore problems
<aanderse>
but back when ldap was flakey... i never had user login problems
<aanderse>
i checked logs
<aanderse>
and nslcd would try again automatically
<aanderse>
it was able to run multiple attempts and eventually succeed
<aanderse>
so i never had any complaints from users about logging in
<aanderse>
i'm left with the assumption there is no big underlying problem
<Mic92>
ok. So it fails if it cannot find a route to the ldap server?
<Mic92>
Or if it cannot resolve the hostname?
<aanderse>
not exactly sure, i never investigated the problem too deeply
<Mic92>
I agree for the majority `wants = [ "network-online.target" ];` is fine, just some smaller setups won't need it when the server is running on the same box.
<aanderse>
hmm i suppose that is a use case for some people
<aanderse>
(btw i'm not using slapd)
<aanderse>
Mic92: every time you paste a link its the same link to my PR....
<Mic92>
aanderse: I embedded a diff in it.
<Mic92>
aanderse: there is an option called policy = "hard_init";
<aanderse>
i haven't tried hard_init
<aanderse>
ok, i think you've convinced me this doesn't provide enough generic value
<Mic92>
aanderse: if hard_init fixes it though, we can document it better.
<Mic92>
I would not make the default. I think some people might want to have it degrade.
<aanderse>
yeah that makes sense
<aanderse>
thanks for talking this through with me then :)
<Mic92>
aanderse: you might want to test if you can still log in as root if your ldap server is down.
<aanderse>
Mic92: only developer accounts are using ldap
<aanderse>
no sysadmin accounts
<aanderse>
sysadmin accounts managed via nixops
<aanderse>
sysadmin turnover is very low, so not a big win to manage via ldap
<Mic92>
aanderse: ok. just make sure your root login does not perform any user queries.
<Mic92>
looking up root should be still fine.
<aanderse>
by default nixos configuration won't cache passwords with nslcd so not appropriate for that type of account
<Mic92>
because passwd is a higher priority
<aanderse>
easy enough to pull the virtual network plug and concretely test...
<aanderse>
i think sssd has easy ability to cache passwords and do networkless logins for ldap accounts, but i didn't end up going down that path (seemed more involved)
<Mic92>
Yeah, sssd had some issues on NixOS if I recall correctly
<aanderse>
:(
<aanderse>
ok, well, just to be completely sure
<aanderse>
i yanked the networking on a machine
<aanderse>
logged in as local users (including root)
<aanderse>
no issues
<aanderse>
everything picked up when network plugged back in
<aanderse>
all good
<aanderse>
will try to find some time/energy to try hard_init today
<Mic92>
ok. If it works we can update the ldap module option
<Mic92>
description
hmpffff has quit [Read error: Connection reset by peer]