[systemd-devel] (newbie) question: dependency on ldap/kerberos

[Josh Geisser]

Hi there

As Fedora Core user I was always abusing the Runlevel idea of the init/runlevel idea in on 'powerful' remote machines:

multicore Linux machines authenticating against Active Directory (with schema extension for Unix holding uid/etc), each carrying a virtual Windows domain controller (using VMware)

Background idea of either you can authenticate using remote domain controllers via VPN, or use the local virtual Domain controller, on the very same anyway oversized(but only one per site) machine.

To catch the case where VPN is down and the server is booting (power outage, firewall burned?), we basically did this:

1. At the earliest possibility:
   - cp -v /etc/nsswitch.conf.local /etc/nsswitch.conf
   - cp -v /etc/pam.d/system-auth.local /etc/pam.d/system-auth

2. booting into runlevel 3, starting all 'server services':
   - network, etc, vmware(!)

3. At the latest possibility (rc3.d/S99..) a script was kicked off that:
   - was trying every few seconds to auth. against _any_ available DC
   - if succeed: 
     - cp -v /etc/nsswitch.conf.ldap /etc/nsswitch.conf
     - cp -v /etc/pam.d/system-auth.ldap /etc/pam.d/system-auth
     - start into runlevel 4

4. when at least one DC available: runlevel 4: 'networked services':
   - start samba
   - start NFS
   - other things, some cases even X11


Equals: on boot, start the virtual domain controller, then either wait for this one to become available, or if any other is reachable also good :)

(Despite an abuse of infrastructure, this actually works quite well, the on-site used severs serving SMB are in either 2min or 15minutes available, regardless of whether the firewall could establish the VPN's)

Any hint how I can implement this scenario with systemd?

Cheers
Josh