Date: Fri, 18 May 2007 10:47:41 +0200 From: Gerhard Schmidt <estartu@augusta.de> To: Jonathan Chen <jon@FreeBSD.org> Cc: freebsd-bugs@FreeBSD.org Subject: Re: conf/110252: success=return aktion doesn't work in /etc/nsswitch.conf Message-ID: <20070518084741.GA46282@augusta.de> In-Reply-To: <200705180240.l4I2ech7091205@freefall.freebsd.org> References: <200705180240.l4I2ech7091205@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Fri, May 18, 2007 at 02:40:38AM +0000, Jonathan Chen wrote: > Synopsis: success=return aktion doesn't work in /etc/nsswitch.conf > > State-Changed-From-To: open->closed > State-Changed-By: jon > State-Changed-When: Fri May 18 02:28:17 UTC 2007 > State-Changed-Why: > (yes, I really mean to close it this time) > > This is not a bug, this is the expected behavior. It might be in your opinion but it's still not in mine. > When a user logs in to a system, a group list is created for the user > which contains the list of all groups the user belongs to. The only way > you can get such a list is to query all sources of group information for > groups. When openldap starts, it calls the initgroups() function, which > creates such a list. Openldap does this to ensure the user it changes to > is in all the correct groups, so it can access all the files that you > might think it should have access to. I know that. But still there should be a way to abort the chain if need. > Similarly, finger by default matches the arguments you give it with both > the username and gecos name of the user, and return finger information > for all matches. Again, the only way it could do this is to walk through > the entire list of all users, which requires accessing all data sources. > You can tell finger to match only the exact username with the -m flag, in > which case it will only consult the files database if the user is in there. > > Incidentally, success=return is the default behavior, you don't need to > specify it. I Know that. But shouldn't the default behavior for groups be success=continue this whould have the 'expected behavior' for the default case. And there will be the possibility to abort the chain with an success=return if you want. > To get around this, you can either: > 1) run openldap as the root user, in which case it won't initgroups(). This has some security implications > 2) edit openldap source and comment out the section doing initgroups(). Not very userfriendly. Not all FreeBSD users know how to do this. > 3) change the timeout value in your nss_ldap config to a more appropriate value (bind_timeout might do the trick) Doesn't fix the problem (tried it first) > 4) don't run the ldap server on a machine that requires ldap. Having to run a seperate machine just for ldap isn't very effectiv. But there is a 5. the fixes this problem without negativ points. Setting bind_policy to soft in nss_ldap.conf fixes this problem for ldap but still there might be nss modules that doesn't have this workaround. Bye Estartu -- ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: estartu@augusta.de | on request Germany | | [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iQCVAwUBRk1oLQzx22nOTJQRAQItYAQAisPLl2dUuwwa9NS92fjqmG5s0dELyJn6 /Ylwd3/9yUKdzELxDijeavUGFICW3iIirp7uPowhpOzMPD1Upiiq3Tnlldu+nYXL /6Tpe3wRbuDj9CdK0gpvjy5Q/tZa9nqfqYo8Hae9EqRi8fcGeYJU68GS5y6u7Axn B/tX6kf2QPU= =pyuD -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518084741.GA46282>