Re: --disable-nslcd, nssov, and local user lookups

[Ryan Steele <ryans [at] aweber.com>]

Arthur de Jong wrote:
> On Wed, 2012-06-13 at 07:20 -0400, Ryan Steele wrote:
>>> Btw, out of curiosity, why are you building custom Debian packages?
>> The nssov docs
>> (http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/nssov/README?rev=1.10&hideattic=1&sortbydate=0)
>>  make a reference to building nss-pam-ldapd without nslcd since it's not 
>> needed.  I didn't want to run the risk of using the packages that leave it 
>> in and then not use it, potentially introducing some sort of dependency on a 
>> running nslcd that would never be satisfied.
> 
> You could just install the libnss-ldapd and libpam-ldapd packages and
> either not install nslcd (perhaps use equivs to handle the dependencies)
> or install it but disable it by putting "exit 0" in /etc/default/nslcd.
> That way you will still get automatic updates of the packages. 


The init script for nslcd on my systems (Ubuntu Lucid) doesn't use an 
/etc/default file, but if it won't cause a problem to do that, I will set one 
up.


> 
> The --disable-nslcd option doesn't change anything in the NSS and PAM
> modules. It only causes the nslcd binary not to be built (you don't need
> development headers of OpenLDAP, etc. installed to compile it).
> 
>> I did have one other question: since I won't be using nslcd, are the
>> libnss-ldapd options that would have been set in /etc/nslcd.conf now
>> configured via the nssov overlay instead of /etc/nslcd.conf, provided
>> the options are available (I know that some are not, e.g. the
>> nss_initgroups_ignoreusers option)?
> 
> I don't have much first-hand experience with nssov but nslcd.conf only
> affects how nslcd works so anything you configured there before should
> be configured in nssov. The NSS modules doesn't have any configuration
> and the PAM module is only configured through the command line (see the
> pam_ldap(8) manual page for details).
> 
> I think that if you using caching or replication together with nssov you
> shouldn't need nss_initgroups_ignoreusers because the slowdown during
> boot you could have with nss_ldap don't happen if nslcd or nssov aren't
> running. If nslcd is only started after networking or nssov always has
> cached data available it should also be pretty fast.
> 


It's not really for slowness at boot, it's for lookups of system users.  The 
PAM stack has some nice options that effectively allow you to say "ignore 
pam_ldap.so when the UID/GID is above/below a certain number", but the NSS side 
of things (nsswitch.conf) has no such option, so if the LDAP server is slow or 
unavailable, you could end up with services (e.g., apache) become unresponsive 
as it waits for a response for www-data's UID/GID from the ldap data source.  
That's where nss_initgroups_ignoreusers comes in so handy.  

Right now, that's how we've set it up and it works like a charm.  I guess I 
will just have to test nssov and see how bad it is in the worst-case scenario.  
Thanks for your advice.

Cheers,
Ryan
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/