From owner-freebsd-questions@FreeBSD.ORG  Tue Mar 13 08:26:15 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 15D8D16A406
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Mar 2007 08:26:15 +0000 (UTC)
	(envelope-from estartu@etustar.ze.tum.de)
Received: from titan.ze.tum.de (titan.ze.tum.de [129.187.39.12])
	by mx1.freebsd.org (Postfix) with ESMTP id BA54013C45D
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Mar 2007 08:26:14 +0000 (UTC)
	(envelope-from estartu@etustar.ze.tum.de)
Received: from etustar.ze.tum.de (etustar.ze.tum.de [129.187.39.96])
	by titan.ze.tum.de (8.13.4/8.12.10) with ESMTP id l2D8QDKk074075;
	Tue, 13 Mar 2007 09:26:13 +0100 (CET)
	(envelope-from estartu@etustar.ze.tum.de)
Received: from etustar.ze.tum.de (localhost [127.0.0.1])
	by etustar.ze.tum.de (8.13.8/8.13.6) with ESMTP id l2D8QEDs020885;
	Tue, 13 Mar 2007 09:26:14 +0100 (CET)
	(envelope-from estartu@etustar.ze.tum.de)
Received: (from estartu@localhost)
	by etustar.ze.tum.de (8.13.8/8.13.6/Submit) id l2D8QELE020884;
	Tue, 13 Mar 2007 09:26:14 +0100 (CET) (envelope-from estartu)
Date: Tue, 13 Mar 2007 09:26:13 +0100
From: Gerhard Schmidt <estartu@augusta.de>
To: Jonathan McKeown <jonathan@hst.org.za>
Message-ID: <20070313082613.GA20341@augusta.de>
References: <20070312141915.GA1842@augusta.de>
	<e572718c0703121607n57d1c28co915638069262042a@mail.gmail.com>
	<20070313071641.GA18856@augusta.de>
	<200703131001.10355.jonathan@hst.org.za>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V"
Content-Disposition: inline
In-Reply-To: <200703131001.10355.jonathan@hst.org.za>
User-Agent: Mutt/1.4.2.2i
Cc: freebsd-questions@freebsd.org, Pietro Cerutti <pietro.cerutti@gmail.com>
Subject: Re: nss_ldap and openldap on the same server.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2007 08:26:15 -0000


--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote:
> On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote:
> > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote:
> > > On 3/12/07, Gerhard Schmidt <estartu@augusta.de> wrote:
> > > >Hi,
> > >
> > > Hello,
> > >
> > > >As I see it, nss asks all sources even if the frist one allready kno=
ws
> > > > the answer. Is there a way to change this.
> > >
> > > man nsswitch.conf(5)
> > > Look for Status codes and Actions
> >
> > Doesn't work. Tried the follwing nsswitch.conf
> > group: files [success=3Dreturn] ldap
> > hosts: files dns
> > networks: files
> > passwd: files [success=3Dreturn] ldap
> > shells: files
> >
> > This doesn't change the delay. And the nss_ldap timeout is still report=
ed.
> > This is not supprising because the manpage states [success=3Dreturn] is
> > default.
> >
> > Seams there is a bug somewhere.
>=20
> It's a well-known problem rather than a bug, and it arises when looking u=
p=20
> group information for a user. The system needs a list of all the groups t=
he=20
> user is a member of. Since it's a list, not a single answer, you can't=20
> short-circuit the process with ``success'' after finding a single result:=
=20
> initgroups(3) must work through all possible sources of group information=
 to=20
> build the list.

I think its still a bug. You are right that all groups should be found so=
=20
the default for groups should be success=3Dcontinue to have this done. But=
=20
when I explicily specify that on success the process should abort, it
should be done exacly this way.=20

> The only ``workaround'' I've seen suggested is the parameter introduced=
=20
> recently in nss_ldap:
>=20
> nss_initgroups_ignoreusers
>=20
> It takes a comma-separated list of users for whom the nss_ldap initgroups=
=20
> routine should immediately return NSS_STATUS_NOTFOUND. If you keep group=
=20
> information for all the system users in /etc/group only, and add them all=
 to=20
> this line in nss_ldap.conf, it should remove the problem. (Warning: I hav=
en't=20
> tested this).

This may fix the problem with nss_ldap but its still there with other
modules.=20

Bye
	Estartu

--=20
----------------------------------------------------------------------------
Gerhard Schmidt    | Nick : estartu      IRC : Estartu  |
Fischbachweg 3     |                                    |  PGP Public Key
86856 Hiltenfingen | EMail: estartu@augusta.de          |  on request=20
Germany            | 					| =20


--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iQCVAwUBRfZgJQzx22nOTJQRAQKmxgQAouApGrkZteg6u70K5leVtfPwDJo9PL95
R40w7OuT0towCv+3xMGmFvAreHvoDBKx4BKfB46291NN3dr4y1uh3FyJDdqNHTQn
JeUjr0uWnIwSTYZtiKAMYhQKUOg7ksoiT1m+JJX3w8CQQkcIwhpLSZKAjXBVCVLN
6hK7jSVrWco=
=2rVV
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--