conf/110252: success=return aktion doesn't work in
/etc/nsswitch.conf
Gerhard Schmidt
estartu at augusta.de
Fri May 18 09:09:38 UTC 2007
On Fri, May 18, 2007 at 02:40:38AM +0000, Jonathan Chen wrote:
> Synopsis: success=return aktion doesn't work in /etc/nsswitch.conf
>
> State-Changed-From-To: open->closed
> State-Changed-By: jon
> State-Changed-When: Fri May 18 02:28:17 UTC 2007
> State-Changed-Why:
> (yes, I really mean to close it this time)
>
> This is not a bug, this is the expected behavior.
It might be in your opinion but it's still not in mine.
> When a user logs in to a system, a group list is created for the user
> which contains the list of all groups the user belongs to. The only way
> you can get such a list is to query all sources of group information for
> groups. When openldap starts, it calls the initgroups() function, which
> creates such a list. Openldap does this to ensure the user it changes to
> is in all the correct groups, so it can access all the files that you
> might think it should have access to.
I know that. But still there should be a way to abort the chain if need.
> Similarly, finger by default matches the arguments you give it with both
> the username and gecos name of the user, and return finger information
> for all matches. Again, the only way it could do this is to walk through
> the entire list of all users, which requires accessing all data sources.
> You can tell finger to match only the exact username with the -m flag, in
> which case it will only consult the files database if the user is in there.
>
> Incidentally, success=return is the default behavior, you don't need to
> specify it.
I Know that. But shouldn't the default behavior for groups be
success=continue this whould have the 'expected behavior' for the default
case. And there will be the possibility to abort the chain with an
success=return if you want.
> To get around this, you can either:
> 1) run openldap as the root user, in which case it won't initgroups().
This has some security implications
> 2) edit openldap source and comment out the section doing initgroups().
Not very userfriendly. Not all FreeBSD users know how to do this.
> 3) change the timeout value in your nss_ldap config to a more appropriate value (bind_timeout might do the trick)
Doesn't fix the problem (tried it first)
> 4) don't run the ldap server on a machine that requires ldap.
Having to run a seperate machine just for ldap isn't very effectiv.
But there is a 5. the fixes this problem without negativ points.
Setting bind_policy to soft in nss_ldap.conf fixes this problem for ldap
but still there might be nss modules that doesn't have this workaround.
Bye
Estartu
--
----------------------------------------------------------------------------
Gerhard Schmidt | Nick : estartu IRC : Estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | EMail: estartu at augusta.de | on request
Germany | |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20070518/56fa8071/attachment.pgp
More information about the freebsd-bugs
mailing list