RSS feed

Re: nss_initgroups_ignoreusers

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss_initgroups_ignoreusers

On Thu, 2014-07-24 at 10:38 +1000, Trent W. Buck wrote:
> Arthur de Jong wrote:
> > Limiting these lookups can be done with the
> > nss_initgroups_ignoreusers and nss_min_uid options in
> > nslcd.conf and minimum_uid pam_ldap option.
> How important is it to add such a line?
> I haven't until now, but maybe it'd make my boots a little faster or
> something.

I personally always use minimum_uid in pam_ldap (and I've made it the
default in Debian) mostly to avoid some issues with logging in as root
when the network is unavailable and to clearly separate user accounts
(generally uid >= 1000) from system accounts (generally uid < 1000).

> PADL had some hook that updated its ldap.conf automatically with local
> groups, but it looks like I can just do a static
> "nss_initgroups_ignoreusers ALLLOCAL", which is nice.

Yes, nslcd avoids most of the issues for which
nss_initgroups_ignoreusers is needed (mostly slowdown during boot
because nslcd can be started at the right time during the boot process)
but due to its design it is also easy to list all local users.

In general, I would only really recommend the min_uid and ignureusers
options if you are regularly having issues with contacting the LDAP
server. In that case tuning the timeout parameters is probably also a
good idea.

If your issue is boot time, you should probably review the point in the
boot process where nslcd is started. It should be started after it can
connect to the LDAP server (mostly when the network is available) and
before any services that need it (e.g. login manager, apache, mail
server, etc.).

-- arthur - - --
To unsubscribe send an email to or see