misc/110252: success=return aktion doesn't work in
/etc/nsswitch.conf
Gerhard Schmidt
estartu at augusta.de
Tue Mar 13 08:20:15 UTC 2007
>Number: 110252
>Category: misc
>Synopsis: success=return aktion doesn't work in /etc/nsswitch.conf
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 13 08:20:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Gerhard Schmidt
>Release: FreeBSD 6.2-STABLE i386
>Organization:
Augsburger Computer Forum e.V.
>Environment:
System: FreeBSD phobos.ze.tum.de 6.2-STABLE FreeBSD 6.2-STABLE #2: Thu Mar 8 15:21:55 CET 2007 root at phobos.ze.tum.de:/usr/src/sys/i386/compile/PHOBOS i386
>Description:
I have a FreeBSD Server that run a OpenLDAP server which holds the Userinfos for some FreeBSD systems
including himself. The user ldap is in /etc/passwd and the group ldap is in /etc/group.
/etc/nsswitch.conf looks the following
group: files [success=return] ldap
hosts: files dns
networks: files
passwd: files [success=return] ldap
shells: files
When the system boots the bootup blocks for 2-3 Minutes when starting OpenLDAP. The Log states
the following.
Mar 13 08:13:13 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable
As I understand the success=return statement, ldap should never be asked when a user or group is
in the files. But it sill is. An when the system is up an running the ldap server is queried for
every user in the files. This is a security issue too. Every user search is send to all sources in
nsswitch.conf.
>How-To-Repeat:
Do the setup described and do a finger on a user in /etc/passwd you will see a query to
the ldapserver.
>Fix:
n/k
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list