nss_initgroups_ignoreusers ALLLOCAL issue
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss_initgroups_ignoreusers ALLLOCAL issue
- From: "mh [at] ow2.org" <mh [at] ow2.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss_initgroups_ignoreusers ALLLOCAL issue
- Date: Mon, 15 May 2017 15:29:53 +0200
Hi there,
I'm using v0.9.6
I'm having a strange issue with nss_initgroups_ignoreusers ALLLOCAL
parameter.
( I'm happy to find this option, which is absent from the other nss-ldap
implementation btw )
First, it used to work: getent passwd was *not* displaying LDAP users
that exists locally. at that time I was using the following configuration :
===
uid nslcd
gid nslcd
uri ldap://...
base ...
binddn cn=...
bindpw ...
# SSL options
ssl start_tls
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nss_initgroups_ignoreusers ALLLOCAL
===
Then I've added the following :
pam_authz_search
(|(&(objectClass=posixGroup)(memberUid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))))
restarted nscd and nslcd and it just stopped to work.
So I decided to revert back and commented the pam_authz_search line. It
had zero effect, I still get duplicates usernames in getent !
Same thing when stopping nscd
I've started nslcd in debug mode and noticed the line:
nslcd: DEBUG: CFG: nss_initgroups_ignoreusers lists not *all* local
user, only some of them.
The debug line finishes like "(..localusers..),news..." (with third dots)
I tried to add other duplicates accounts, but I can't reproduce the
expected behavior anymore, this is very strange.
What is the issue ?
Cheers,
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
- nss_initgroups_ignoreusers ALLLOCAL issue,
mh@ow2.org
