Date: Fri, 18 May 2007 10:47:41 +0200 From: Gerhard Schmidt <estartu@augusta.de> To: Jonathan Chen <jon@FreeBSD.org> Cc: freebsd-bugs@FreeBSD.org Subject: Re: conf/110252: success=return aktion doesn't work in /etc/nsswitch.conf Message-ID: <20070518084741.GA46282@augusta.de> In-Reply-To: <200705180240.l4I2ech7091205@freefall.freebsd.org> References: <200705180240.l4I2ech7091205@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 18, 2007 at 02:40:38AM +0000, Jonathan Chen wrote: > Synopsis: success=3Dreturn aktion doesn't work in /etc/nsswitch.conf >=20 > State-Changed-From-To: open->closed > State-Changed-By: jon > State-Changed-When: Fri May 18 02:28:17 UTC 2007 > State-Changed-Why:=20 > (yes, I really mean to close it this time) >=20 > This is not a bug, this is the expected behavior. It might be in your opinion but it's still not in mine.=20 > When a user logs in to a system, a group list is created for the user=20 > which contains the list of all groups the user belongs to. The only way= =20 > you can get such a list is to query all sources of group information for= =20 > groups. When openldap starts, it calls the initgroups() function, which= =20 > creates such a list. Openldap does this to ensure the user it changes to= =20 > is in all the correct groups, so it can access all the files that you=20 > might think it should have access to. I know that. But still there should be a way to abort the chain if need.=20 > Similarly, finger by default matches the arguments you give it with both= =20 > the username and gecos name of the user, and return finger information=20 > for all matches. Again, the only way it could do this is to walk through= =20 > the entire list of all users, which requires accessing all data sources. = =20 > You can tell finger to match only the exact username with the -m flag, in= =20 > which case it will only consult the files database if the user is in ther= e. >=20 > Incidentally, success=3Dreturn is the default behavior, you don't need to= =20 > specify it. I Know that. But shouldn't the default behavior for groups be=20 success=3Dcontinue this whould have the 'expected behavior' for the default= =20 case. And there will be the possibility to abort the chain with an=20 success=3Dreturn if you want.=20 =20 > To get around this, you can either: > 1) run openldap as the root user, in which case it won't initgroups(). This has some security implications > 2) edit openldap source and comment out the section doing initgroups(). Not very userfriendly. Not all FreeBSD users know how to do this.=20 > 3) change the timeout value in your nss_ldap config to a more appropriat= e value (bind_timeout might do the trick) Doesn't fix the problem (tried it first)=20 > 4) don't run the ldap server on a machine that requires ldap. Having to run a seperate machine just for ldap isn't very effectiv. But there is a 5. the fixes this problem without negativ points.=20 Setting bind_policy to soft in nss_ldap.conf fixes this problem for ldap=20 but still there might be nss modules that doesn't have this workaround.=20 Bye Estartu --=20 ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: estartu@augusta.de | on request=20 Germany | | =20 --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iQCVAwUBRk1oLQzx22nOTJQRAQItYAQAisPLl2dUuwwa9NS92fjqmG5s0dELyJn6 /Ylwd3/9yUKdzELxDijeavUGFICW3iIirp7uPowhpOzMPD1Upiiq3Tnlldu+nYXL /6Tpe3wRbuDj9CdK0gpvjy5Q/tZa9nqfqYo8Hae9EqRi8fcGeYJU68GS5y6u7Axn B/tX6kf2QPU= =pyuD -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518084741.GA46282>