Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dan Finn <Dan.Finn [at] plansource.com>
To: Dan Finn <Dan.Finn [at] plansource.com>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Date: Tue, 11 Oct 2016 22:39:31 +0000

Here’s my nslcd.conf file if it’s relevant:

# /etc/nslcd.conf

# nslcd configuration file. See nslcd.conf(5)

# for details.

# The user and group nslcd should run as.

uid nslcd

gid ldap

# disconnect after this amount of time (in seconds) of inactivity

idle_timelimit 180

# The location at which the LDAP server(s) should be reachable.

uri ldaps://ds-pdc.domain.local/

uri ldaps://ds-pdc01.domain.local/

# The search base that will be used for all queries.

base dc=domain,dc=local

#base ou=People,dc=domain,dc=local

# The LDAP protocol version to use.

ldap_version 3

# The DN to bind with for normal lookups.

binddn CN=ldap,OU=Service Accounts,OU=IT,DC=domain,DC=local

Bindpw $SECRET$

# The DN used for password modifications by root.

#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options

ssl on

tls_reqcert never

# The search scope.

#scope sub

nss_initgroups_ignoreusers ALLLOCAL

filter passwd (&(&(objectClass=person)(uidNumber=*)))

#filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))

map passwd uid sAMAccountName

map passwd homeDirectory unixHomeDirectory

map passwd gecos displayName

# If you wish to override the shell given by LDAP, uncomment the next line

#map passwd loginShell "/bin/bash"

filter shadow (&(&(objectClass=person)(uidNumber=*)))

#filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))

map shadow uid sAMAccountName

map shadow shadowLastChange pwdLastSet

filter group (&(objectClass=group)(gidNumber=*))

#map group gid member

From: Dan Finn
Date: Tuesday, October 11, 2016 at 4:35 PM
To: Dan Finn, "nss-pam-ldapd-users [at] lists.arthurdejong.org"
Subject: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

I’ve spent the majority of my day looking into this and I am stumped.

I’ve found that I have some servers which are acting as expected in that if you login as a local user there is no traffic sent to the LDAP servers. And then I have other servers that are acting as described below. All are CentOS 6.8 running the same version of all packages.

I took all the relevant config files (/etc/nslcd.conf, /etc/pam.d/*, /etc/pam_ldap.conf, /etc/sysconfig/*) from a server that is working as expected and copied it over to one of the servers having issues and it didn’t change anything. I must be missing something here.

I did notice that the id command works as expected even on the servers that aren’t cooperating. If you run id on a local user it doesn’t generate any traffic to the LDAP server and if you query an LDAP user then you see traffic. The main issue seems to be logging in.

Has anyone else run into this?

Thanks,

Dan

From: Dan Finn
Date: Tuesday, October 11, 2016 at 10:52 AM
To: "nss-pam-ldapd-users [at] lists.arthurdejong.org"
Subject: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

CentOS 6.8 running nss-pam-ldapd-0.7.5-32.el6.x86_64

While working on troubleshooting an LDAP auth issue on one of our servers I noticed that the server was making calls to LDAP for local users. I have this in my nslcd.conf file:

nss_initgroups_ignoreusers ALLLOCAL

I was under the impression that this means that for any local users, there should not be any communication needed to the LDAP server? Is that not correct? I tried changing ALLLOCAL to the specific local user that I’m testing with and it didn’t change anything, the query to the LDAP server was still made. I’ve come across many other posts online asking this same thing but none seem to have any answers.

Any help would be much appreciated.

Thanks,

Dan

Dan Finn
Systems Engineer - Linux/MySQL
PlanSource – One Source. Many Benefits.

Cell: 530-386-2618
Work: 801-869-2844
What I Stand For: Engineering Solutions

This email may contain confidential or protected material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn
- Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn
  - Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn
  - Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Michael Ströder
    - Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn
      - Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?, Dan Finn

Prev by Date: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Next by Date: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Previous by thread: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?
Next by thread: Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?