Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dan Finn <Dan.Finn [at] plansource.com>
To: Dan Finn <Dan.Finn [at] plansource.com>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Date: Tue, 11 Oct 2016 22:35:19 +0000

I’ve spent the majority of my day looking into this and I am stumped.

I’ve found that I have some servers which are acting as expected in that if you login as a local user there is no traffic sent to the LDAP servers. And then I have other servers that are acting as described below. All are CentOS 6.8 running the same version of all packages.

I took all the relevant config files (/etc/nslcd.conf, /etc/pam.d/*, /etc/pam_ldap.conf, /etc/sysconfig/*) from a server that is working as expected and copied it over to one of the servers having issues and it didn’t change anything. I must be missing something here.

I did notice that the id command works as expected even on the servers that aren’t cooperating. If you run id on a local user it doesn’t generate any traffic to the LDAP server and if you query an LDAP user then you see traffic. The main issue seems to be logging in.

Has anyone else run into this?

Thanks,

Dan

From: Dan Finn
Date: Tuesday, October 11, 2016 at 10:52 AM
To: "nss-pam-ldapd-users [at] lists.arthurdejong.org"
Subject: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

CentOS 6.8 running nss-pam-ldapd-0.7.5-32.el6.x86_64

While working on troubleshooting an LDAP auth issue on one of our servers I noticed that the server was making calls to LDAP for local users. I have this in my nslcd.conf file:

nss_initgroups_ignoreusers ALLLOCAL

I was under the impression that this means that for any local users, there should not be any communication needed to the LDAP server? Is that not correct? I tried changing ALLLOCAL to the specific local user that I’m testing with and it didn’t change anything, the query to the LDAP server was still made. I’ve come across many other posts online asking this same thing but none seem to have any answers.

Any help would be much appreciated.

Thanks,

Dan

Dan Finn
Systems Engineer - Linux/MySQL
PlanSource – One Source. Many Benefits.

Cell: 530-386-2618
Work: 801-869-2844
What I Stand For: Engineering Solutions

This email may contain confidential or protected material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn
- Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn

Prev by Date: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Next by Date: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Previous by thread: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Next by thread: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?