RSS feed

Re: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood

On Fri, 2015-04-17 at 15:44 +0200, Thomas Orgis wrote:
> we have a rather large LDAP setup with >60000 accounts. This has
> tranditionally mandated the use of 
> nss_getgrent_skipmembers yes
> in ldap.conf to have p.ex.
> shell$ id $USER
> not put out an excessive amount of LDAP queries while checking all the
> group members. This basically disables listing of members of a group,
> while lookups of the kind "Is $USER in $GROUP?" and "In which groups
> is
> $USER?" still work.

Thanks for the detailed use case. It really makes understanding the
situation and thinking about a proper solution easier.

The patch you referenced for nss_getgrent_skipmembers seems to suggest
that the only things that were changed was not requesting the group
membership attributes. This can be accomplished in nslcd.conf with:

  map group memberUid nonexistent
  map group member ""

but this will also break the group by user lookup. If you just specify
the second line (assuming you don't use the member attribute) it may
already offer the performance benefit that you need.

Implementing nss_getgrent_skipmembers should not be that difficult.
Hacking it in for testing should be just commenting out these lines in

  attmap_add_attributes(set, attmap_group_memberUid);
  attmap_add_attributes(set, attmap_group_member);

However, having an inconsistency between "which members does this group
have?" and "which groups have this user as member?" (these are the two
basic types of queries) may confuse some applications. I know nscd gets
easily confused about these kind of things and OpenSSH is really picky
about user and group existence.

Something that may reduce the number of queries in any case is disabling
nss_nested_groups (should be disabled by default) and see if the LDAP
server supports the deref control (assuming you are using a 0.9 version
of nss-pam-ldapd). This control allows nslcd to do only one query to the
LDAP server to expand the member attribute to users with group lookups.

Kind regards,

-- arthur - - --
To unsubscribe send an email to or see