RSS feed

Re: --disable-nslcd, nssov, and local user lookups

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: --disable-nslcd, nssov, and local user lookups

On Wed, 2012-06-13 at 07:20 -0400, Ryan Steele wrote:
> > Btw, out of curiosity, why are you building custom Debian packages?
> The nssov docs
> (
>  make a reference to building nss-pam-ldapd without nslcd since it's not 
> needed.  I didn't want to run the risk of using the packages that leave it in 
> and then not use it, potentially introducing some sort of dependency on a 
> running nslcd that would never be satisfied.

You could just install the libnss-ldapd and libpam-ldapd packages and
either not install nslcd (perhaps use equivs to handle the dependencies)
or install it but disable it by putting "exit 0" in /etc/default/nslcd.
That way you will still get automatic updates of the packages. 

The --disable-nslcd option doesn't change anything in the NSS and PAM
modules. It only causes the nslcd binary not to be built (you don't need
development headers of OpenLDAP, etc. installed to compile it).

> I did have one other question: since I won't be using nslcd, are the
> libnss-ldapd options that would have been set in /etc/nslcd.conf now
> configured via the nssov overlay instead of /etc/nslcd.conf, provided
> the options are available (I know that some are not, e.g. the
> nss_initgroups_ignoreusers option)?

I don't have much first-hand experience with nssov but nslcd.conf only
affects how nslcd works so anything you configured there before should
be configured in nssov. The NSS modules doesn't have any configuration
and the PAM module is only configured through the command line (see the
pam_ldap(8) manual page for details).

I think that if you using caching or replication together with nssov you
shouldn't need nss_initgroups_ignoreusers because the slowdown during
boot you could have with nss_ldap don't happen if nslcd or nssov aren't
running. If nslcd is only started after networking or nssov always has
cached data available it should also be pretty fast.

-- arthur - - --
To unsubscribe send an email to or see