Re: Excluding users from all lookups?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Excluding users from all lookups?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Excluding users from all lookups?
- Date: Wed, 30 Nov 2011 22:33:11 +0100
On Mon, 2011-11-28 at 16:37 +0100, Machiel van Veen wrote:
> There is a way to exclude users from group membership lookups,
> nss_initgroups_ignoreusers. However this does not exclude these users from
> group membership lookups at login. The logon proces for local users fails
> whenever the ldap server names cannot be resolved.
>
> Is there a different way to exclude users from all lookups or has this
> feature
> not been implemented?
The nss_initgroups_ignoreusers option is indeed only meant to prevent
possibly expensive group membership lookups. There is also a nss_min_uid
which can be used to only do lookups for uids higher than a certain
number.
It is a common configuration to only put normal users in LDAP and
exclude local system accounts (uid < 1000). For the PAM module there is
a minimum_uid option to prevent if from contacting nslcd for these uids
(the nss_min_uid does contact nslcd but doesn't cause LDAP lookups for
numeric user id lookups).
The nss_initgroups_ignoreusers option is meant to still allow local user
logins for system accounts so if that isn't working, perhaps there is a
bug or a confuguration problem. Can you provide debugging output from
nslcd when such a failed login occurs?
Thanks,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
