RSS feed

Re: nss_initgroups_ignoreusers ALLLOCAL issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss_initgroups_ignoreusers ALLLOCAL issue

Hi Arthur,

Thank you for the clarification. I need more :)

Le 15/05/2017 à 19:08, Arthur de Jong a écrit :
> On Mon, 2017-05-15 at 17:59 +0200, wrote:
>> nss_initgroups_ignoreusers ALLLOCAL isn't about ignoring all locally
>> defined users from the LDAP at all. It's about 'group membership
>> lookups'
> Indeed. I was wondering about what the problem was ;_
>> My goal was to avoid duplicate username between local and LDAP but it
>> doesn't seem possible to do so.
> Having duplicate user names should not be a real problem as long as the
> entry from /etc/passwd matches that from LDAP.

usually the data does't match: the UID/GID in the LDAP is different from

My use case is as follow : I have a set of linux servers with on each of
them a local account - same username every time but not necessarily the
same uid/gid or homedir . On a second hand, I have a ldap server which
already provide authentication for a number of web apps that I have
tweaked to handle posix account objectclasses.

At this point, it appears that I need to authenticate using that LDAP
account with the same username as the local one mentioned above to my
linux boxes.

> If you want to filter out certain users you could use the filter
> statement to exclude users from LDAP that match certain criteria. There
> is no way to automatically exclude all locally defined users from LDAP
> lookups (though if you are running nscd in most situations this should
> not be a problem).

I'm not sure to understand what is the role of nscd in this, and why it
should not be a problem ?

However I could use:
filter passwd (!(uid=<dupusername>))(objectClass=posixAccount)

Or I could have that ldap dupusername defined with UID/GID>10000 then
test this in the filter. That would emulate a "group of LDAP users to

Any better idea ?

> What you want to avoid is having multiple users with different
> information on the system. If you are running nscd both user names and
> numeric user ids are expected to be unique on the system.

unfortunately, this is the case, I have a single username with different
data locally vs LDAP. It seems I have no choice but to build some
filters to avoid that.


To unsubscribe send an email to or see