misc/110252: success=return aktion doesn't work in /etc/nsswitch.conf

Gerhard Schmidt estartu at augusta.de
Tue Mar 13 08:20:15 UTC 2007

>Number:         110252
>Category:       misc
>Synopsis:       success=return aktion doesn't work in /etc/nsswitch.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 13 08:20:14 GMT 2007
>Originator:     Gerhard Schmidt
>Release:        FreeBSD 6.2-STABLE i386
Augsburger Computer Forum e.V.	
System: FreeBSD phobos.ze.tum.de 6.2-STABLE FreeBSD 6.2-STABLE #2: Thu Mar 8 15:21:55 CET 2007 root at phobos.ze.tum.de:/usr/src/sys/i386/compile/PHOBOS i386

I have a FreeBSD Server that run a OpenLDAP server which holds the Userinfos for some FreeBSD systems
including himself. The user ldap is in /etc/passwd and the group ldap is in /etc/group. 
/etc/nsswitch.conf looks the following 
group: files [success=return] ldap 
hosts: files dns
networks: files
passwd: files [success=return] ldap
shells: files

When the system boots the bootup blocks for 2-3 Minutes when starting OpenLDAP. The Log states 
the following. 
Mar 13 08:13:13 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable

As I understand the success=return statement, ldap should never be asked when a user or group is 
in the files. But it sill is. An when the system is up an running the ldap server is queried for 
every user in the files. This is a security issue too. Every user search is send to all sources in 

Do the setup described and do a finger on a user in /etc/passwd you will see a query to 
the ldapserver. 


More information about the freebsd-bugs mailing list