RSS feed

Re: How can i filter specific users from querying ldap server?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: How can i filter specific users from querying ldap server?

Do you get that for 'getent passwd test1'?

What group is set for 'test1' in /etc/passwd?

id(1) will scan for all groups that a user is a member of. So if 'ldap' appears in /etc/nsswitch under 'group:', it will scan ldap for group membership. Either don't put 'ldap' under 'group:' in /etc/nsswitch.conf, or cache those requests.

On Wed, 22 Oct, 2014 at 8:04 , Mindaugas B <> wrote:
Ok, and if i created local user "test1"?
Now it exists in /etc/passwd
What configuration should tell not to execute lookup for nslcd:
nslcd: [8b4567] DEBUG: connection from pid=3379 uid=106 gid=65534
nslcd: [8b4567] <group/member="test1"> DEBUG: myldap_search(base="OU=Linux AD Integration,DC=new,DC=lv", filter="(&(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))(sAMAccountName=test1))")

On Wed, Oct 22, 2014 at 2:17 AM, Trent W. Buck <> wrote:
Mindaugas B wrote:
> I have user named "test1" (uid=1001). I'm trying to configure NSS or nslcd > so that "id test1" and similar queries would not send requests to LDAP
> server at all.
> Is it possible?

Only if you duplicate the user in some other database (e.g. /etc/passwd). Perhaps you want unscd / nscd, so that LDAP lookups are cached for a while. IIRC when I deployed it I saw about a thousandfold reduction in traffic on the LDAP server.

To unsubscribe send an email to or see