Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Trent W. Buck" <twb-nss-pam-ldapd-users [at] cyber.com.au>
To: Raviteja Bailapudi <rbailapu [at] in.ibm.com>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org, arthur [at] arthurdejong.org
Subject: Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Date: Wed, 12 Aug 2020 14:16:36 +1000

Raviteja Bailapudi wrote:
> <div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, 
> Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" >Hi&nbsp; 
> Arthur<br><br>When there is no LDAP configuration&nbsp; created on system, we 
> Install default nscld.conf file from nss-pam-ldapd on system and start nslcd 
> daemon,</div>
> <div dir="ltr" >then we notice unnecessary nslcd LDAP lookups for all local 
> groups for URI ldap://127.0.0.1.<br>which causes unnecessary LDAP lookup 
> failure traces for all local groups.</div>
> <div dir="ltr" ><br>nslcd[280]: [334873] &lt;group/member="root"&gt; failed 
> to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP 
> server<br>nslcd[280]: [b0dc51] &lt;group="priv-noaccess"&gt; failed to bind 
> to LDAP server ldap://127.0.0.1/: Can't contact LDAP server:<br><br>I 
> understand that using "nss_initgroups_ignoreusers ALLLOCAL" is only way to 
> filter out these local group LDAP lookups.<br>can we add this&nbsp; 
> "nss_initgroups_ignoreusers ALLLOCAL" by default to nslcd.conf so that if 
> anyone using default config<br>avoids unnecessary LDAP lookups and traces as 
> well?</div>

That would piss off anyone who has e.g. LDAP users in the non-LDAP group 
"staff" or "wheel".
On a homogeneous network (e.g. all Debian), such groups can have predictable 
GIDs without bothering to create LDAP equivalents ("ldapstaff") and
patch ALL the systemd-tempfiles and udev rules to grant write access to 
"ldapstaff" instead of "staff".

Is there a reason your current site policy
    "if there is no LDAP config, install default nslcd.conf"
can't be changed to
    "if there is no LDAP config, install site-specific nslcd.conf"

If you have a different "default nslcd.conf" for each OS,
you can use augeas[1] to patch nslcd.conf without regexp pain,
e.g. (untested)

    # from CLI
    augtool --autosave 'set /files/etc/nslcd.conf/nss_initgroups_ignoreusers 
"ALLLOCAL"'

    # in an ansible policy
    - augeas:
        command: set
        path: /files/etc/nslcd.conf
        value: ALLLOCAL


[1] http://augeas.net/
    https://github.com/paluh/ansible-augeas
    https://puppet.com/docs/puppet/5.5/resources_augeas.html

Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1, Raviteja Bailapudi
- Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1, Trent W. Buck
- Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1, Tim Rice

Prev by Date: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Next by Date: Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Previous by thread: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Next by thread: Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1