RSS feed

Re: Excluding users from all lookups?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Excluding users from all lookups?

On Mon, 2011-11-28 at 16:37 +0100, Machiel van Veen wrote:
> There is a way to exclude users from group membership lookups, 
> nss_initgroups_ignoreusers. However this does not exclude these users from 
> group membership lookups at login. The logon proces for local users fails 
> whenever the ldap server names cannot be resolved. 
> Is there a different way to exclude users from all lookups or has this 
> feature 
> not been implemented?

The nss_initgroups_ignoreusers option is indeed only meant to prevent
possibly expensive group membership lookups. There is also a nss_min_uid
which can be used to only do lookups for uids higher than a certain

It is a common configuration to only put normal users in LDAP and
exclude local system accounts (uid < 1000). For the PAM module there is
a minimum_uid option to prevent if from contacting nslcd for these uids
(the nss_min_uid does contact nslcd but doesn't cause LDAP lookups for
numeric user id lookups).

The nss_initgroups_ignoreusers option is meant to still allow local user
logins for system accounts so if that isn't working, perhaps there is a
bug or a confuguration problem. Can you provide debugging output from
nslcd when such a failed login occurs?


-- arthur - - --
To unsubscribe send an email to or see