From owner-freebsd-security@FreeBSD.ORG Mon Sep 26 11:21:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45BB5106564A for ; Mon, 26 Sep 2011 11:21:32 +0000 (UTC) (envelope-from rene@canyon.xs4all.nl) Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id CA19E8FC14 for ; Mon, 26 Sep 2011 11:21:31 +0000 (UTC) Received: from canyon.xs4all.nl (canyon.xs4all.nl [80.101.124.54]) by smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id p8QB781h047596 for ; Mon, 26 Sep 2011 13:07:08 +0200 (CEST) (envelope-from rene@canyon.xs4all.nl) Received: by canyon.xs4all.nl (Postfix, from userid 126) id B44CBFB5; Mon, 26 Sep 2011 13:07:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on bryce.canyon.xs4all.nl X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.1 Received: from canyon.xs4all.nl (canyon.xs4all.nl [192.168.1.1]) by canyon.xs4all.nl (Postfix) with ESMTP id 1016EFB3 for ; Mon, 26 Sep 2011 13:07:10 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 26 Sep 2011 13:07:09 +0200 From: Rene de Vries To: In-Reply-To: <86r5369mgb.fsf@ds4.des.no> References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> <86r5369mgb.fsf@ds4.des.no> Message-ID: X-Sender: rene@canyon.xs4all.nl User-Agent: RoundCube Webmail/0.5.2 X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Mon, 26 Sep 2011 11:29:17 +0000 Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 11:21:32 -0000 Why not have /etc/group be authoritive for wheel (an thus have a list of local superusers). And use sudo with an ldap based group for everything else. René On Sat, 24 Sep 2011 14:03:32 +0200, Dag-Erling Smørgrav wrote: > Lev Serebryakov writes: >> Dag-Erling writes: >> > Did you try changing the priority in /etc/nsswitch.conf? >> It gives very long boot time, as nss_ldap waits for answer from >> non-started server, again and again, etc. > > The only solution I can think of is to try to figure out how to > reduce > or eliminate this delay, because the system is doing exactly what you > asked it to, i.e. treating /etc/group as authoritative and using LDAP > only for groups it can't find there. > > DES -- René de Vries rene@canyon.xs4all.nl