Re: Using nss-pam-ldapd in a large environment, Part 2: Denial of Service due to open connections

[Arthur de Jong <arthur [at] arthurdejong.org>]

Sorry for not responding sooner.

On Wed, 2015-07-08 at 01:16 +0200, Thomas Orgis wrote:
> > Looks doable for some configurations. It is not really usable in
> > general because some functions in nslcd check whether the 
> > connecting user is root (probably don't run socat as root).
> 
> What kind of operations need root? That would be nice to know.

There are currently only two places:

- shadow and passwd results will only include the password hash if the
  caller is root and the userPassword is explicitly mapped
- the rootpwmodpw option is only used when the caller is root

> > Another option is to look into nssov. You should be able to combine
> > it with caching in slapd or use other replication mechanisms.
> 
> Yes, I hoped to get away without replicating/caching the server. I'm
> duplicating enough infrastructure already with the HPC systems. After
> all, it has no trouble with the actual queries, which are rather
> intermittend (when computing jobs start/stop).

Apparently it is possible to tune slapd to be pretty lean and just do
caching.

> One issue on the side, I might have forgotten it and it is very, very
> late: Where is the equivalent to nss_initgroups_ignoreusers in nslcd?
> Somehow I would like to stop LDAP queries triggered to look up
> secondary groups of the root user. Actually, I would like to avoid 
> any bothering nslcd for the root user (and other system accounts), 
> but I don't see the option to do that selectively in nsswitch.conf.

nslcd.conf has a nss_initgroups_ignoreusers as well as nss_min_uid
which may be helpful in your situation.

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/