lists.arthurdejong.org
RSS feed

Re: nss_initgroups_ignoreusers ALLLOCAL issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss_initgroups_ignoreusers ALLLOCAL issue



Hi,

Sorry but I think I took my dream for reality and totally missed the
point of the directive.

nss_initgroups_ignoreusers ALLLOCAL isn't about ignoring all locally
defined users from the LDAP at all. It's about 'group membership lookups'

So I'm totally wrong. sorry.

My goal was to avoid duplicate username between local and LDAP but it
doesn't seem possible to do so.

Regards,

Le 15/05/2017 à 15:29, mh@ow2.org a écrit :
> Hi there,
> 
> I'm using v0.9.6
> 
> I'm having a strange issue with nss_initgroups_ignoreusers ALLLOCAL
> parameter.
> 
> ( I'm happy to find this option, which is absent from the other nss-ldap
> implementation btw )
> 
> First, it used to work: getent passwd was *not* displaying LDAP users
> that exists locally. at that time I was using the following configuration :
> 
> ===
> uid nslcd
> gid nslcd
> uri ldap://...
> base ...
> 
> binddn cn=...
> bindpw ...
> 
> # SSL options
> ssl start_tls
> 
> #tls_reqcert never
> 
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> 
> nss_initgroups_ignoreusers ALLLOCAL
> ===
> 
> 
> Then I've added the following :
> 
> pam_authz_search
> (|(&(objectClass=posixGroup)(memberUid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))))
> 
> restarted nscd and nslcd and it just stopped to work.
> 
> So I decided to revert back and commented the pam_authz_search line. It
> had zero effect, I still get duplicates usernames in getent !
> 
> Same thing when stopping nscd
> 
> I've started nslcd in debug mode and noticed the line:
> 
> nslcd: DEBUG: CFG: nss_initgroups_ignoreusers lists not *all* local
> user, only some of them.
> 
> The debug line finishes like "(..localusers..),news..." (with third dots)
> 
> I tried to add other duplicates accounts, but I can't reproduce the
> expected behavior anymore, this is very strange.
> 
> What is the issue ?
> 
> Cheers,
> 

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/