Re: [nssldap] nss_initgroups_ignoreusers

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Buchan Milne <bgmilne [at] mandriva.org>
To: Lynn York <lyork [at] inetu.net>
Cc: "nssldap [at] padl.com" <nssldap [at] padl.com>
Subject: Re: [nssldap] nss_initgroups_ignoreusers
Date: Mon, 17 Nov 2008 11:13:59 +0200

On Friday 24 October 2008 18:21:54 Lynn York wrote:
> Hello,
>
>
>
>                 I seem to be having an issue with
> nss_initgroups_ignoreusers.  I have the following line in my /etc/ldap.conf
> file but it still seems to search ldap for the users.  Can anyone shed some
> light on this issue for me?  Also, I am running nss_ldap version  >= 2.53.
> I have supplied a snippet of the sldap log.
>
>
>
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,post
>m aster,anonymous,apache
>
>
>
>
>
> [ log snippet ]
>
>
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=140 fd=48 ACCEPT from
> IP=127.0.0.1:59736 (IP=0.0.0.0:389)
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH
> base="ou=Internal,dc=mgmt,dc=test,dc=com" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=postmaster))"
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH attr=uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 STARTTLS
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 RESULT oid= err=0
> text=
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH
> base="ou=Internal,dc=mgmt, dc=test,dc=com " scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=postmaster))"
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH attr=uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass
>
> Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 fd=62 TLS established
> tls_ssf=256 ssf=256


But, this isn't the filter one would expect for an 'initgroups' call, I would 
expect a filter of "(&(objectclass=posixGroup)(memberUid=postmaster))", this 
looks like a search filter from a getpwent or so (and so shouldn't be affected 
by nss_initgroups_ignoreusrs).

So, my question is how you are getting to querying LDAP for getpwent in the 
first place (what is the 'passwd' line in your /etc/nsswitch.conf)?

Regards,
Buchan

[nssldap] nss_initgroups_ignoreusers, Lynn York
- Re: [nssldap] nss_initgroups_ignoreusers, Luke Howard
- Re: [nssldap] nss_initgroups_ignoreusers, Buchan Milne

Prev by Date: [nssldap] Enhancement to DNS location of LDAP servers to support site location
Next by Date: Re: [nssldap] No timeout for nss_ldap?
Previous by thread: Re: [nssldap] nss_initgroups_ignoreusers
Next by thread: [nssldap] How to configure nss_ldap to perform SASL/EXTERNAL ?