nss_ldap and openldap on the same server.

Gerhard Schmidt estartu at augusta.de
Tue Mar 13 12:21:05 UTC 2007

On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote:
> On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote:
> > > It's a well-known problem rather than a bug, and it arises when looking
> > > up group information for a user. The system needs a list of all the
> > > groups the user is a member of. Since it's a list, not a single answer,
> > > you can't short-circuit the process with ``success'' after finding a
> > > single result: initgroups(3) must work through all possible sources of
> > > group information to build the list.
> >
> > I think its still a bug. You are right that all groups should be found so
> > the default for groups should be success=continue to have this done. But
> > when I explicily specify that on success the process should abort, it
> > should be done exacly this way.
> You've now had responses from me and Joerg Pulz, and given us essentially the 
> same reply. I'm not sure success means what you think it means: group 
> information is a complete list, not ``first item found'' like a user account.
> You have told the system to check for group information in files and ldap. You 
> have, therefore, not succeeded in listing all groups until you have both 
> searched the files *and* received a response from nss_ldap, either group 
> information or NSS_STATUS_NOTFOUND.
> It looks as though you can instruct nss_ldap to unconditionally return 
> NSS_STATUS_NOTFOUND for a user, by adding
> nss_initgroups_ignoreusers user
> in nss_ldap.conf. I'd be interested to hear whether it works, having not 
> tested it myself, but at the moment you're banging your head against the wall 
> and shouting about how much it hurts. It will hurt less if you stop.

It's not. added nss_initgroups_ignoreusers ldap but it still blockes for 
2 Min. I have found a solution that work for me. The problem is not that 
nsswitch asks nss_ldap but that nss_ldap take so long to realise the 
ldap isn't running. I have changed the bind_policy setting of nss_ldap from
hard to soft and nss_ldap fails without delay. So it's working for me 
for now.

But still there is a problem with that. Right now there is no way we could
prevent any source from adding users to any group (e.g wheel). I think thats
a security problem in envoriments where you don't have control over all 
sources used for authentication und usermanagement. If there was a way
you could tell the nss to stop wenn a group definition is found in a module
we had a way to stop this. That shouldn't be the default way but it schould
be possible. 


Gerhard Schmidt    | Nick : estartu      IRC : Estartu  |
Fischbachweg 3     |                                    |  PGP Public Key
86856 Hiltenfingen | EMail: estartu at augusta.de          |  on request 
Germany            | 					|  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070313/cea089ac/attachment.pgp

More information about the freebsd-questions mailing list