nss_ldap and openldap on the same server.

Joerg Pulz Joerg.Pulz at frm2.tum.de
Tue Mar 13 08:23:29 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, 13 Mar 2007, Gerhard Schmidt wrote:

> On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote:
>> On 3/12/07, Gerhard Schmidt <estartu at augusta.de> wrote:
>>> Hi,
>> Hello,
>>
>>> As I see it, nss asks all sources even if the frist one allready knows the
>>> answer. Is there a way to change this.
>>
>> man nsswitch.conf(5)
>> Look for Status codes and Actions
>
> Doesn't work. Tried the follwing nsswitch.conf
> group: files [success=return] ldap
> hosts: files dns
> networks: files
> passwd: files [success=return] ldap
> shells: files
>
> This doesn't change the delay. And the nss_ldap timeout is still reported.
> This is not supprising because the manpage states [success=return] is
> default.
>
> Seams there is a bug somewhere.

AFAICT, there is no bug.
The behavior is completely correct as a look into the openldap code turns 
out.
When starting up slapd, it tries to switch the credentials to the user and 
group specified, normally ldap:ldap. Therefor it uses getpwuid(3), 
getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user 
and group specified is okay, it then calls getuid(3) and initgroups(3).
Reading initgroups(3) turns out the following:

The initgroups() function uses the getgrouplist(3) function to calculate
the group access list for the user specified in name.

Reading getgrouplist(3) turns out the following:

The getgrouplist() function reads through the group file and calculates
the group access list for the user specified in name.
[...]
The getgrouplist() function uses the routines based on getgrent(3).

Reading getgrent(3) turns out the following:

The getgrent() function sequentially reads the group database and is
intended for programs that wish to step through the complete list of
groups.
[...]
The getgrent() and getgrent_r() functions make no attempt to suppress 
duplicate information if multiple sources are specified in 
nsswitch.conf(5).

So after following the way through all man pages, it turns out that the 
behavior is fully correct as a lookup is done to find out all groups to 
which the specified slapd user belongs to. This includes lookups using 
nss_ldap when ldap is configured as source for groups in nsswitch.conf.

As a side note, a short look into the bind and cron source turns out that 
these, and probably others too, also use the initgroups(3) function.

HTH,
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)

iD8DBQFF9lwFSPOsGF+KA+MRAnI+AJ0Qu0Zr9IHHLrDL60boB3mauzMPkwCfQ3Lx
Zq0odiQpNiLwC3CSDkXuepU=
=S+3e
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list