Re: Preventing NSS from querying LDAP for system users

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Fri, 2010-03-12 at 12:27 -0500, Ryan Steele wrote:
> I should preface this post by stating that I originally sent a similar
> line of questioning to Launchpad
[...]

No problem. I sometimes get the feeling no one looks after the stuff on
launchpad. :(

> I see that in version 0.3 and 0.5 respectively, support for the
> nss_initgroups/nss_initgroups_ignoreusers and bind_policy options were
> removed from libnss-ldapd.

This is correct. For bind_policy a simpler retry mechanism was put in
place using the bind_timelimit, timelimit, reconnect_sleeptime and
reconnect_maxsleeptime options.

The reason the nss_initgroups options were in the original nss_ldap was
mainly due to the complex searches needed to determine group membership
for users and the problems during booting. nss-pam-ldapd implements
simpler and faster searches for username to group membership lookups and
has simpler semantics during boot.

I think the nss_initgroups option is also ugly because for it to work
correctly you have to list all local users there.

> However, without those options, I'm not sure how to prevent NSS from
> querying LDAP for users which aren't in LDAP, which can cause a lot of
> trouble both when the LDAP server is available, by inundating it with
> requests for which it will issue only negative responses, and when the
> LDAP server is unavailable, where at best, you have brief
> interruptions while you wait for one of the various and sundry timeout
> option thresholds to be reached. The obvious result is that system
> users lose the ability to operate without being hindered by
> unsuccessful NSS lookups, which can drive the load up as processes
> stack up in wait time.

You cannot prevent NSS lookups to hit LDAP with just the NSS module
(even with nss_initgroup options). The simplest solution is to use nscd
for caching. You can combine this with lowering the timeing options
mentioned before.

If you want a more reliable caching solution that should also work
completely off-line you can use the nssov slapd overlay to set up a copy
of your LDAP server on your workstation (using replication).

> Given that these options are no longer available to those of us who
> wish to use libnss-ldapd instead of libnss-ldap or nssov, what do the
> package authors/maintainers/other users suggest to circumvent or
> otherwise prevent lookups from being made for users who exist locally
> (root, daemon, www-data, et. al.)?

The problem here is that this is hard to do. There will always be
processes that request all users or groups in the system. One of these
occasions is when determining which groups a user is in (e.g. on login).
Since it is perfectly legal to have local users in LDAP groups and vice
versa excluding this always is a bad idea.

Also if you want to test for that condition (for the username to groups
lookup) you first have to determine whether a user is a local user or an
LDAP user. This also requires a lookup.

Again, nscd will cache some lookups (simple username->uid and
groupname->gid lookups, etc) but not all (list all users or determine
the groups this user is a member of if I remember correctly).

[...]
> Given those two options, I would regrettably have to choose the
> former, because I would rather have my system services (webserver,
> root cronjobs, databases) available so that public-facing services
> like websites and databases aren't negatively affected if my LDAP
> servers become unavailable for some reason.  I hate having this
> ultimatum - has anybody else found an answer to this problem?

Again, if you want a very reliable system with NSS lookups error-free
even when the network is down, nssov is probably the best route. I have
also experimented with nss_db and nss-updatedb in the past (which is a
small improvement over nscd I believe) but I don't have up-to-date
experience with that.

Personally, I would use nscd and lower the values for bind_timelimit and
reconnect_maxsleeptime so that small outages are handled gracefully
(information from cache is served) and longer outages do not cause too
long delays in lookups (btw with version 0.7.0 the default timeout
values were lowered but they are still pretty high).

However, I would welcome a patch that adds an option to not perform
username to groups lookups for local users (this is not trivial trough).

Anyway, thanks for raising this issue.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users