RSS feed

Re: Excluding users from all lookups?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Excluding users from all lookups?

On Wednesday 30 November 2011 22:33:11 Arthur de Jong wrote:
> On Mon, 2011-11-28 at 16:37 +0100, Machiel van Veen wrote:
> > There is a way to exclude users from group membership lookups,
> > nss_initgroups_ignoreusers. However this does not exclude these users
> > from group membership lookups at login. The logon proces for local users
> > fails whenever the ldap server names cannot be resolved.
> >
> > Is there a different way to exclude users from all lookups or has this
> > feature not been implemented?
> The nss_initgroups_ignoreusers option is indeed only meant to prevent
> possibly expensive group membership lookups. There is also a nss_min_uid
> which can be used to only do lookups for uids higher than a certain
> number.
> It is a common configuration to only put normal users in LDAP and
> exclude local system accounts (uid < 1000). For the PAM module there is
> a minimum_uid option to prevent if from contacting nslcd for these uids
> (the nss_min_uid does contact nslcd but doesn't cause LDAP lookups for
> numeric user id lookups).
> The nss_initgroups_ignoreusers option is meant to still allow local user
> logins for system accounts so if that isn't working, perhaps there is a
> bug or a confuguration problem. Can you provide debugging output from
> nslcd when such a failed login occurs?
> Thanks,

I've tested with debugging on, when the network connection is disconnected 
there is no output, the startup is listed and that's all.

nslcd: DEBUG: add_uri(ldap://
nslcd: DEBUG: add_uri(ldap://ldap-b.example/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file 
or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: accepting connections

I found this to be expected, when I disable the nslcd daemon the issue still 
occurs. When running tcpdump while doing the login, it shows an 
attempt to resolve the first ldap server name. This does not timeout before the 
logon does so it fails. If I set the resolver timeout to 3 
seconds I can login. 

I would expect there to be no attempts by the NSS part to resolve the ldap 
server names when logging on as root. When the ldap server name can be 
resolved there are no ldap lookups, so this seems to work as you describe.  I 
have been doing my tests on CentOS 6 with nss-pam-ldapd-0.7.5-3.

Greetings, Machiel.
To unsubscribe send an email to or see