From owner-freebsd-questions@FreeBSD.ORG Tue Mar 13 08:00:08 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 72B3616A401 for ; Tue, 13 Mar 2007 08:00:08 +0000 (UTC) (envelope-from jonathan@hst.org.za) Received: from sirian.hst.org.za (sirian.hst.org.za [209.203.2.130]) by mx1.freebsd.org (Postfix) with ESMTP id 45AB613C459 for ; Tue, 13 Mar 2007 08:00:06 +0000 (UTC) (envelope-from jonathan@hst.org.za) Received: from localhost (localhost.hst.org.za [127.0.0.1]) by sirian.hst.org.za (Postfix) with ESMTP id 8CAAF31D7BE; Tue, 13 Mar 2007 09:56:19 +0200 (SAST) Received: from sirian.hst.org.za ([127.0.0.1]) by localhost (sirian.hst.org.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89372-07; Tue, 13 Mar 2007 09:56:19 +0200 (SAST) Received: from sysadmin.int.dbn.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20]) by sirian.hst.org.za (Postfix) with ESMTP id F3CCD31D7A8; Tue, 13 Mar 2007 09:56:17 +0200 (SAST) From: Jonathan McKeown Organization: Health Systems Trust To: freebsd-questions@freebsd.org Date: Tue, 13 Mar 2007 10:01:09 +0200 User-Agent: KMail/1.7.2 References: <20070312141915.GA1842@augusta.de> <20070313071641.GA18856@augusta.de> In-Reply-To: <20070313071641.GA18856@augusta.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200703131001.10355.jonathan@hst.org.za> X-Virus-Scanned: by amavisd-new at hst.org.za Cc: Gerhard Schmidt , Pietro Cerutti Subject: Re: nss_ldap and openldap on the same server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2007 08:00:08 -0000 On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > On 3/12/07, Gerhard Schmidt wrote: > > >Hi, > > > > Hello, > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > the answer. Is there a way to change this. > > > > man nsswitch.conf(5) > > Look for Status codes and Actions > > Doesn't work. Tried the follwing nsswitch.conf > group: files [success=return] ldap > hosts: files dns > networks: files > passwd: files [success=return] ldap > shells: files > > This doesn't change the delay. And the nss_ldap timeout is still reported. > This is not supprising because the manpage states [success=return] is > default. > > Seams there is a bug somewhere. It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers It takes a comma-separated list of users for whom the nss_ldap initgroups routine should immediately return NSS_STATUS_NOTFOUND. If you keep group information for all the system users in /etc/group only, and add them all to this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't tested this). Jonathan