lists.arthurdejong.org
RSS feed

Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss_initgroups_ignoreuser not working as expected. Are my expectations incorrect?



I think I have figured out what was happening.  I put nslcd in debug mode
and logged in as a local user and what I noticed is that it was looking up
group information for a LDAP group.  That didn’t seem right, it shouldn’t
need to do that for these local users, they have no relation to that LDAP
group.  We use pam_access to control which LDAP users can login to which
servers.  Our /etc/security/access.conf looked like so:

+ : root : ALL
+ : (LDAP-group) : ALL
+ : localuser1 : ALL
+ : localuser2 : ALL
- : ALL : ALL

So it appears that pam_access was working it’s way down this list and it
first had to see if the local user we were logging in as was part of
LDAP-group before moving on.  I modified /etc/security/access.conf to look
like so:


+ : root : ALL
+ : localuser1 : ALL
+ : localuser2 : ALL
+ : (LDAP-group) : ALL

- : ALL : ALL

And now we are no longer seeing traffic to the LDAP server when a local
user logs in.

What I can’t explain is why this was NOT happening on some of our servers.
 On some servers you’d login as a local user and there would be no traffic
sent to the LDAP server. All servers use the same pam config files and the
same /etc/security/access.conf.  I wish I had an answer for that but at
least now are all working as expected.

Thanks,
Dan






On 10/12/16, 7:30 AM, "Dan Finn" <Dan.Finn@plansource.com> wrote:

>Yes, I did ensure that nsswitch.conf is identical (files, ldap) on both.
>I have nscd turned off for all of this testing so that it doesn't skew
>the results.
>
>
>> On Oct 12, 2016, at 2:48 AM, Michael Ströder <michael@stroeder.com>
>>wrote:
>>
>> Dan Finn wrote:
>>> I took all the relevant config files (/etc/nslcd.conf, /etc/pam.d/*,
>>> /etc/pam_ldap.conf, /etc/sysconfig/*) from a server that is working as
>>>expected
>>> and copied it over to one of the servers having issues and it didn’t
>>>change
>>> anything.  I must be missing something here.
>>
>> Did you also compare /etc/nsswitch.conf and /etc/nscd.conf on these
>>systems?
>>
>> Did you also clear nscd caches an restart nscd (besides nslcd) after
>>tweaking
>> your configuration?
>>
>> Ciao, Michael.
>>
>> --
>> To unsubscribe send an email to
>> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
>> https://lists.arthurdejong.org/nss-pam-ldapd-users/
This email may contain confidential or protected material for the sole use of 
the intended recipient(s). Any review, use, distribution or disclosure by 
others is strictly prohibited. If you are not the intended recipient (or 
authorized to receive for the recipient), please contact the sender by reply 
email and delete all copies of this message.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/