Re: min-uid

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Egbert <egbert [at] vandenbussche.nl>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Reply-to: egbert [at] vandenbussche.nl
Subject: Re: min-uid
Date: Wed, 12 Feb 2014 15:01:36 +0100

Arthur de Jong schreef op 11-2-2014 23:16:
> On Sat, 2014-02-08 at 23:04 +0100, Egbert wrote:
>> Why do I see incoming connections to the ldap server (hcc-ldap-lb1)
>> from a client (172.31.1.1) for low uid numbers? I've set te value to
>> 300 but I see attempts to do lookups for low uid's like nslcd
>> (106:116)? These users are not to be found in ldap; they are only in
>> the /etc/passwd|shadow|group files on the client. Nowhere else.
>>
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH
base="ou=users,dc=hcc,dc=nl" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=nslcd))"
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH
attr=uid uidNumber
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SEARCH
RESULT tag=101 err=0 nentries=0 text=
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH
base="ou=groups,dc=hcc,dc=nl" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=nslcd))"
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH
attr=memberUid cn gidNumber member
>> Feb  8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SEARCH
RESULT tag=101 err=0 nentries=0 text=
>
> The above log snippet shows a search for a user nslcd by name and a
> search operation to find the groups the nslcd user is a member of. The
> first search operation is used to build the second search.
>
> This search in itself a bit weird (unless manually triggered) because
> nslcd is not supposed to use it's own module to do name lookups but
> perhaps it can be explained when nscd is involved.
>
> Anyway, neither of these searches are by numeric uid so cannot be really
> avoided (we only know that nslcd has a low numeric uid after we've done
> the lookup). This specific search (group by member) can be avoided if
> you really want to with the nss_initgroups_ignoreusers option.
>
> Hope this helps,
Thanks for the explanation. It gives me slightly more insight in what is
going on. Indeed nscd is active. How it all relates is still a mystery
to me. I know a little about ldap but PAM and friends are a different
story... The traffic I see was not expected by me (I've seenconnections
for system users not even in ldap) and it makes me think that I have a
misconfiguration somewhere. But where...

Egbert Jan

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

min-uid, Egbert
- Re: min-uid, Arthur de Jong
  - Re: min-uid, Egbert

Prev by Date: Re: min-uid
Next by Date: Round-robin LDAP
Previous by thread: Re: min-uid
Next by thread: Round-robin LDAP