From owner-freebsd-bugs@FreeBSD.ORG Fri May 18 09:09:37 2007 Return-Path: X-Original-To: freebsd-bugs@FreeBSD.org Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CE97F16A400; Fri, 18 May 2007 09:09:37 +0000 (UTC) (envelope-from estartu@starbox.augusta.de) Received: from inga.augusta.de (inga.augusta.de [213.209.142.2]) by mx1.freebsd.org (Postfix) with ESMTP id 50D0313C447; Fri, 18 May 2007 09:09:37 +0000 (UTC) (envelope-from estartu@starbox.augusta.de) Received: from inga.augusta.de (uucp@localhost [127.0.0.1]) by inga.augusta.de (8.13.4/8.13.4) with ESMTP id l4I8oBYn010543 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 May 2007 10:50:12 +0200 (CEST) (envelope-from estartu@starbox.augusta.de) Received: (from uucp@localhost) by inga.augusta.de (8.13.4/8.13.4/Submit) with UUCP id l4I8oBJe010541; Fri, 18 May 2007 10:50:11 +0200 (CEST) (envelope-from estartu@starbox.augusta.de) Received: from etustar.starbox.augusta.de (etustar.starbox.augusta.de [192.168.71.7]) by gatekeeper.starbox.augusta.de (8.14.1/8.13.8) with ESMTP id l4I8m0Hh028608; Fri, 18 May 2007 10:48:00 +0200 (CEST) (envelope-from estartu@etustar.starbox.augusta.de) Received: from etustar.starbox.augusta.de (localhost [127.0.0.1]) by etustar.starbox.augusta.de (8.13.8/8.13.8) with ESMTP id l4I8lftj046368; Fri, 18 May 2007 10:47:41 +0200 (CEST) (envelope-from estartu@etustar.starbox.augusta.de) Received: (from estartu@localhost) by etustar.starbox.augusta.de (8.13.8/8.13.8/Submit) id l4I8lfli046367; Fri, 18 May 2007 10:47:41 +0200 (CEST) (envelope-from estartu) Date: Fri, 18 May 2007 10:47:41 +0200 From: Gerhard Schmidt To: Jonathan Chen Message-ID: <20070518084741.GA46282@augusta.de> References: <200705180240.l4I2ech7091205@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <200705180240.l4I2ech7091205@freefall.freebsd.org> User-Agent: Mutt/1.4.2.2i Cc: freebsd-bugs@FreeBSD.org Subject: Re: conf/110252: success=return aktion doesn't work in /etc/nsswitch.conf X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 09:09:38 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 18, 2007 at 02:40:38AM +0000, Jonathan Chen wrote: > Synopsis: success=3Dreturn aktion doesn't work in /etc/nsswitch.conf >=20 > State-Changed-From-To: open->closed > State-Changed-By: jon > State-Changed-When: Fri May 18 02:28:17 UTC 2007 > State-Changed-Why:=20 > (yes, I really mean to close it this time) >=20 > This is not a bug, this is the expected behavior. It might be in your opinion but it's still not in mine.=20 > When a user logs in to a system, a group list is created for the user=20 > which contains the list of all groups the user belongs to. The only way= =20 > you can get such a list is to query all sources of group information for= =20 > groups. When openldap starts, it calls the initgroups() function, which= =20 > creates such a list. Openldap does this to ensure the user it changes to= =20 > is in all the correct groups, so it can access all the files that you=20 > might think it should have access to. I know that. But still there should be a way to abort the chain if need.=20 > Similarly, finger by default matches the arguments you give it with both= =20 > the username and gecos name of the user, and return finger information=20 > for all matches. Again, the only way it could do this is to walk through= =20 > the entire list of all users, which requires accessing all data sources. = =20 > You can tell finger to match only the exact username with the -m flag, in= =20 > which case it will only consult the files database if the user is in ther= e. >=20 > Incidentally, success=3Dreturn is the default behavior, you don't need to= =20 > specify it. I Know that. But shouldn't the default behavior for groups be=20 success=3Dcontinue this whould have the 'expected behavior' for the default= =20 case. And there will be the possibility to abort the chain with an=20 success=3Dreturn if you want.=20 =20 > To get around this, you can either: > 1) run openldap as the root user, in which case it won't initgroups(). This has some security implications > 2) edit openldap source and comment out the section doing initgroups(). Not very userfriendly. Not all FreeBSD users know how to do this.=20 > 3) change the timeout value in your nss_ldap config to a more appropriat= e value (bind_timeout might do the trick) Doesn't fix the problem (tried it first)=20 > 4) don't run the ldap server on a machine that requires ldap. Having to run a seperate machine just for ldap isn't very effectiv. But there is a 5. the fixes this problem without negativ points.=20 Setting bind_policy to soft in nss_ldap.conf fixes this problem for ldap=20 but still there might be nss modules that doesn't have this workaround.=20 Bye Estartu --=20 ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: estartu@augusta.de | on request=20 Germany | | =20 --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iQCVAwUBRk1oLQzx22nOTJQRAQItYAQAisPLl2dUuwwa9NS92fjqmG5s0dELyJn6 /Ylwd3/9yUKdzELxDijeavUGFICW3iIirp7uPowhpOzMPD1Upiiq3Tnlldu+nYXL /6Tpe3wRbuDj9CdK0gpvjy5Q/tZa9nqfqYo8Hae9EqRi8fcGeYJU68GS5y6u7Axn B/tX6kf2QPU= =pyuD -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--