Date: Tue, 13 Mar 2007 09:26:13 +0100 From: Gerhard Schmidt <estartu@augusta.de> To: Jonathan McKeown <jonathan@hst.org.za> Cc: freebsd-questions@freebsd.org, Pietro Cerutti <pietro.cerutti@gmail.com> Subject: Re: nss_ldap and openldap on the same server. Message-ID: <20070313082613.GA20341@augusta.de> In-Reply-To: <200703131001.10355.jonathan@hst.org.za> References: <20070312141915.GA1842@augusta.de> <e572718c0703121607n57d1c28co915638069262042a@mail.gmail.com> <20070313071641.GA18856@augusta.de> <200703131001.10355.jonathan@hst.org.za>
next in thread | previous in thread | raw e-mail | index | archive | help
--xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote: > On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > > On 3/12/07, Gerhard Schmidt <estartu@augusta.de> wrote: > > > >Hi, > > > > > > Hello, > > > > > > >As I see it, nss asks all sources even if the frist one allready kno= ws > > > > the answer. Is there a way to change this. > > > > > > man nsswitch.conf(5) > > > Look for Status codes and Actions > > > > Doesn't work. Tried the follwing nsswitch.conf > > group: files [success=3Dreturn] ldap > > hosts: files dns > > networks: files > > passwd: files [success=3Dreturn] ldap > > shells: files > > > > This doesn't change the delay. And the nss_ldap timeout is still report= ed. > > This is not supprising because the manpage states [success=3Dreturn] is > > default. > > > > Seams there is a bug somewhere. >=20 > It's a well-known problem rather than a bug, and it arises when looking u= p=20 > group information for a user. The system needs a list of all the groups t= he=20 > user is a member of. Since it's a list, not a single answer, you can't=20 > short-circuit the process with ``success'' after finding a single result:= =20 > initgroups(3) must work through all possible sources of group information= to=20 > build the list. I think its still a bug. You are right that all groups should be found so= =20 the default for groups should be success=3Dcontinue to have this done. But= =20 when I explicily specify that on success the process should abort, it should be done exacly this way.=20 > The only ``workaround'' I've seen suggested is the parameter introduced= =20 > recently in nss_ldap: >=20 > nss_initgroups_ignoreusers >=20 > It takes a comma-separated list of users for whom the nss_ldap initgroups= =20 > routine should immediately return NSS_STATUS_NOTFOUND. If you keep group= =20 > information for all the system users in /etc/group only, and add them all= to=20 > this line in nss_ldap.conf, it should remove the problem. (Warning: I hav= en't=20 > tested this). This may fix the problem with nss_ldap but its still there with other modules.=20 Bye Estartu --=20 ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: estartu@augusta.de | on request=20 Germany | | =20 --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iQCVAwUBRfZgJQzx22nOTJQRAQKmxgQAouApGrkZteg6u70K5leVtfPwDJo9PL95 R40w7OuT0towCv+3xMGmFvAreHvoDBKx4BKfB46291NN3dr4y1uh3FyJDdqNHTQn JeUjr0uWnIwSTYZtiKAMYhQKUOg7ksoiT1m+JJX3w8CQQkcIwhpLSZKAjXBVCVLN 6hK7jSVrWco= =2rVV -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070313082613.GA20341>