lists.arthurdejong.org
RSS feed

Re: min-uid

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: min-uid



On Sat, 2014-02-08 at 23:04 +0100, Egbert wrote:
> Why do I see incoming connections to the ldap server (hcc-ldap-lb1)
> from a client (172.31.1.1) for low uid numbers? I've set te value to
> 300 but I see attempts to do lookups for low uid's like nslcd
> (106:116)? These users are not to be found in ldap; they are only in
> the /etc/passwd|shadow|group files on the client. Nowhere else.
> 
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH 
> base="ou=users,dc=hcc,dc=nl" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid=nslcd))"
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH attr=uid 
> uidNumber
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SEARCH RESULT 
> tag=101 err=0 nentries=0 text=
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH 
> base="ou=groups,dc=hcc,dc=nl" scope=2 deref=0 
> filter="(&(objectClass=posixGroup)(memberUid=nslcd))"
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH attr=memberUid 
> cn gidNumber member 
> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SEARCH RESULT 
> tag=101 err=0 nentries=0 text=

The above log snippet shows a search for a user nslcd by name and a
search operation to find the groups the nslcd user is a member of. The
first search operation is used to build the second search.

This search in itself a bit weird (unless manually triggered) because
nslcd is not supposed to use it's own module to do name lookups but
perhaps it can be explained when nscd is involved.

Anyway, neither of these searches are by numeric uid so cannot be really
avoided (we only know that nslcd has a low numeric uid after we've done
the lookup). This specific search (group by member) can be avoided if
you really want to with the nss_initgroups_ignoreusers option.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/