conf/110252: success=return aktion doesn't work in /etc/nsswitch.conf

Gerhard Schmidt estartu at augusta.de
Fri May 18 09:09:38 UTC 2007 

On Fri, May 18, 2007 at 02:40:38AM +0000, Jonathan Chen wrote:
> Synopsis: success=return aktion doesn't work in /etc/nsswitch.conf
> 
> State-Changed-From-To: open->closed
> State-Changed-By: jon
> State-Changed-When: Fri May 18 02:28:17 UTC 2007
> State-Changed-Why: 
> (yes, I really mean to close it this time)
> 
> This is not a bug, this is the expected behavior.

It might be in your opinion but it's still not in mine. 

> When a user logs in to a system, a group list is created for the user 
> which contains the list of all groups the user belongs to.  The only way 
> you can get such a list is to query all sources of group information for 
> groups.  When openldap starts, it calls the initgroups() function, which 
> creates such a list.  Openldap does this to ensure the user it changes to 
> is in all the correct groups, so it can access all the files that you 
> might think it should have access to.

I know that. But still there should be a way to abort the chain if need. 

> Similarly, finger by default matches the arguments you give it with both 
> the username and gecos name of the user, and return finger information 
> for all matches.  Again, the only way it could do this is to walk through 
> the entire list of all users, which requires accessing all data sources.  
> You can tell finger to match only the exact username with the -m flag, in 
> which case it will only consult the files database if the user is in there.
> 
> Incidentally, success=return is the default behavior, you don't need to 
> specify it.

I Know that. But shouldn't the default behavior for groups be 
success=continue this whould have the 'expected behavior' for the default 
case. And there will be the possibility to abort the chain with an 
success=return if you want. 
 
> To get around this, you can either:
> 	1) run openldap as the root user, in which case it won't initgroups().

This has some security implications

> 	2) edit openldap source and comment out the section doing initgroups().

Not very userfriendly. Not all FreeBSD users know how to do this. 

> 	3) change the timeout value in your nss_ldap config to a more appropriate value (bind_timeout might do the trick)

Doesn't fix the problem (tried it first) 

> 	4) don't run the ldap server on a machine that requires ldap.

Having to run a seperate machine just for ldap isn't very effectiv.

But there is a 5. the fixes this problem without negativ points. 

Setting bind_policy to soft in nss_ldap.conf fixes this problem for ldap 
but still there might be nss modules that doesn't have this workaround. 

Bye
	Estartu

-- 
----------------------------------------------------------------------------
Gerhard Schmidt    | Nick : estartu      IRC : Estartu  |
Fischbachweg 3     |                                    |  PGP Public Key
86856 Hiltenfingen | EMail: estartu at augusta.de          |  on request 
Germany            |                                    |  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20070518/56fa8071/attachment.pgp

More information about the freebsd-bugs mailing list