conf/110252: success=return aktion doesn't work in
/etc/nsswitch.conf
Jonathan Chen
jon at FreeBSD.org
Fri May 18 02:40:39 UTC 2007
Synopsis: success=return aktion doesn't work in /etc/nsswitch.conf
State-Changed-From-To: open->closed
State-Changed-By: jon
State-Changed-When: Fri May 18 02:28:17 UTC 2007
State-Changed-Why:
(yes, I really mean to close it this time)
This is not a bug, this is the expected behavior.
When a user logs in to a system, a group list is created for the user which contains the list of all groups the user belongs to. The only way you can get such a list is to query all sources of group information for groups. When openldap starts, it calls the initgroups() function, which creates such a list. Openldap does this to ensure the user it changes to is in all the correct groups, so it can access all the files that you might think it should have access to.
Similarly, finger by default matches the arguments you give it with both the username and gecos name of the user, and return finger information for all matches. Again, the only way it could do this is to walk through the entire list of all users, which requires accessing all data sources. You can tell finger to match only the exact username with the -m flag, in which case it will only consult the files database if the user is in there.
Incidentally, success=return is the default behavior, you don't need to specify it.
To get around this, you can either:
1) run openldap as the root user, in which case it won't initgroups().
2) edit openldap source and comment out the section doing initgroups().
3) change the timeout value in your nss_ldap config to a more appropriate value (bind_timeout might do the trick)
4) don't run the ldap server on a machine that requires ldap.
http://www.freebsd.org/cgi/query-pr.cgi?pr=110252
More information about the freebsd-bugs
mailing list