Re: min-uid
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: min-uid
- From: Egbert <egbert [at] vandenbussche.nl>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Reply-to: egbert [at] vandenbussche.nl
- Subject: Re: min-uid
- Date: Wed, 12 Feb 2014 15:01:36 +0100
Arthur de Jong schreef op 11-2-2014 23:16:
> On Sat, 2014-02-08 at 23:04 +0100, Egbert wrote:
>> Why do I see incoming connections to the ldap server (hcc-ldap-lb1)
>> from a client (172.31.1.1) for low uid numbers? I've set te value to
>> 300 but I see attempts to do lookups for low uid's like nslcd
>> (106:116)? These users are not to be found in ldap; they are only in
>> the /etc/passwd|shadow|group files on the client. Nowhere else.
>>
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH
base="ou=users,dc=hcc,dc=nl" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=nslcd))"
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SRCH
attr=uid uidNumber
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=2 SEARCH
RESULT tag=101 err=0 nentries=0 text=
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH
base="ou=groups,dc=hcc,dc=nl" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=nslcd))"
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SRCH
attr=memberUid cn gidNumber member
>> Feb 8 22:02:57 hcc-ldap-lb1 slapd[13588]: conn=1767 op=3 SEARCH
RESULT tag=101 err=0 nentries=0 text=
>
> The above log snippet shows a search for a user nslcd by name and a
> search operation to find the groups the nslcd user is a member of. The
> first search operation is used to build the second search.
>
> This search in itself a bit weird (unless manually triggered) because
> nslcd is not supposed to use it's own module to do name lookups but
> perhaps it can be explained when nscd is involved.
>
> Anyway, neither of these searches are by numeric uid so cannot be really
> avoided (we only know that nslcd has a low numeric uid after we've done
> the lookup). This specific search (group by member) can be avoided if
> you really want to with the nss_initgroups_ignoreusers option.
>
> Hope this helps,
Thanks for the explanation. It gives me slightly more insight in what is
going on. Indeed nscd is active. How it all relates is still a mystery
to me. I know a little about ldap but PAM and friends are a different
story... The traffic I see was not expected by me (I've seenconnections
for system users not even in ldap) and it makes me think that I have a
misconfiguration somewhere. But where...
Egbert Jan
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/