[nssldap] Avoid LDAP queries of some users?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Jordi Espasa Clofent <jespasac [at] minibofh.org>
To: nssldap [at] padl.com
Subject: [nssldap] Avoid LDAP queries of some users?
Date: Mon, 24 Aug 2009 11:15:37 +0200

Hi all,

I've an OpenLDAP as account server (only for sshd acces, using PAM). Allworks fine, but in LDAP server logs I see a lot of LDAP queries fromusers that don't exist in LDAP database (as www-data, posfix or clamav):


// user www-data
# cat /var/log/syslog | grep www-data | tail

Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=www-data))"Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=www-data))"


// user postfix
# cat /var/log/syslog | grep postfix | tail

Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=postfix))"Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=postfix))"Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=postfix))"Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=postfix))"Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=3 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixGroup)(memberUid=postfix))"


// user clamav
# cat /var/log/syslog | grep clam | tail

Aug 24 09:21:44 xen-ldap03 slapd[9785]: conn=4065713 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=clamav))"Aug 24 09:22:34 xen-ldap03 slapd[9785]: conn=4066846 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"Aug 24 09:24:50 xen-ldap03 slapd[9785]: conn=4068425 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=clamav))"Aug 24 09:43:44 xen-ldap03 slapd[9785]: conn=4083805 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=clamav))"Aug 24 09:49:50 xen-ldap03 slapd[9785]: conn=4088652 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=posixAccount)(uid=clamav))"Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089003 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089004 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089042 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089052 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"Aug 24 09:50:23 xen-ldap03 slapd[9785]: conn=4089067 op=2 SRCHbase="dc=cdmon,dc=com" scope=2 deref=0filter="(&(objectClass=shadowAccount)(uid=clamav))"

¿Why the client system ask to LDAP server for users as www-data,postfix or clamav? They don't exists in LDAP database.


My /etc/nsswitch.conf looks like:

# cat /etc/nsswitch.conf

passwd:         files ldap
group:           files ldap
shadow:        files ldap

sudoers:        ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

The way that the things happen is simple: the client ask for somethingin files resources (local system) and if not get any response, then askthe next resource (ldap).


So the question is simple

¿How I can avoid that certain local users (as postifx, clamav orwww-data) asks to ldap resource ?

Obviously, I still needing the ldap resource in nsswitch.conf tovalidate correctly the users that _exists_ in LDAP server.


More useful info:

// server OpenLDAP version
# dpkg -l | grep slapd

ii slapd 2.4.11-1 OpenLDAPserver (slapd)


// client NSS-LDAP version
# dpkg -l | grep libnss-ldap

ii libnss-ldap 261-2.1 NSSmodule for using LDAP as a naming service



--
Thanks,
Jordi Espasa Clofent

[nssldap] Avoid LDAP queries of some users?, Jordi Espasa Clofent

Re: [nssldap] Avoid LDAP queries of some users?, Guillaume Rousse
- Re: [nssldap] Avoid LDAP queries of some users?, Jordi Espasa Clofent

Prev by Date: Re: [nssldap] strange issue with cron and nss_ldap
Next by Date: Re: [nssldap] Avoid LDAP queries of some users?
Previous by thread: Re: [nssldap] strange issue with cron and nss_ldap
Next by thread: Re: [nssldap] Avoid LDAP queries of some users?