nss_ldap and openldap on the same server.

Jonathan McKeown jonathan at hst.org.za
Tue Mar 13 14:03:17 UTC 2007 

On Tuesday 13 March 2007 14:21, Gerhard Schmidt wrote:
> On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote:
> > On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote:

[setting group: files ldap in nsswitch.conf]

> > It looks as though you can instruct nss_ldap to unconditionally return
> > NSS_STATUS_NOTFOUND for a user, by adding
> >
> > nss_initgroups_ignoreusers user
> >
> > in nss_ldap.conf.
>
> It's not. added nss_initgroups_ignoreusers ldap but it still blockes for
> 2 Min. I have found a solution that work for me. The problem is not that
> nsswitch asks nss_ldap but that nss_ldap take so long to realise the
> ldap isn't running. I have changed the bind_policy setting of nss_ldap from
> hard to soft and nss_ldap fails without delay. So it's working for me
> for now.
>
> But still there is a problem with that. Right now there is no way we could
> prevent any source from adding users to any group (e.g wheel). I think
> thats a security problem in envoriments where you don't have control over
> all sources used for authentication und usermanagement. If there was a way
> you could tell the nss to stop wenn a group definition is found in a module
> we had a way to stop this. That shouldn't be the default way but it schould
> be possible.

Basically you're saying you want to take the first list of groups you find in
the same way that you can take the first username you find: and with respect,
you seem to be finding increasingly strident reasons why things should be the
way you want them. You're still banging your head against the wall. It's easy
to ``prevent any source from adding users to any group'': just don't give the
whole world write access to your groups database - whether it's in the system
files, NIS, LDAP, or on tablets of stone on a small hill in your server room.

If you don't want to look up group information in LDAP, don't put ldap in the
group line in nsswitch.conf. If you do, secure it properly and accept that it
will always do an LDAP lookup, because group information is additive - unlike
user information which has to be unique. Accept, too, that if you only have a
single LDAP server, there will be a bootstrap problem reading the groups list
for the ldap user to start up the LDAP server: but the only "cost" of this is
an extra two minutes or so on each boot, which you seem to have solved in any
case.

Jonathan

More information about the freebsd-questions mailing list