[nssldap] Avoid LDAP queries of some users?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] Avoid LDAP queries of some users?
- From: Jordi Espasa Clofent <jespasac [at] minibofh.org>
- To: nssldap [at] padl.com
- Subject: [nssldap] Avoid LDAP queries of some users?
- Date: Mon, 24 Aug 2009 11:15:37 +0200
Hi all,
I've an OpenLDAP as account server (only for sshd acces, using PAM). All
works fine, but in LDAP server logs I see a lot of LDAP queries from
users that don't exist in LDAP database (as www-data, posfix or clamav):
// user www-data
# cat /var/log/syslog | grep www-data | tail
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
// user postfix
# cat /var/log/syslog | grep postfix | tail
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
// user clamav
# cat /var/log/syslog | grep clam | tail
Aug 24 09:21:44 xen-ldap03 slapd[9785]: conn=4065713 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:22:34 xen-ldap03 slapd[9785]: conn=4066846 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:24:50 xen-ldap03 slapd[9785]: conn=4068425 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:43:44 xen-ldap03 slapd[9785]: conn=4083805 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:49:50 xen-ldap03 slapd[9785]: conn=4088652 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089003 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089004 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089042 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089052 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:23 xen-ldap03 slapd[9785]: conn=4089067 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
¿Why the client system ask to LDAP server for users as www-data,
postfix or clamav? They don't exists in LDAP database.
My /etc/nsswitch.conf looks like:
# cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The way that the things happen is simple: the client ask for something
in files resources (local system) and if not get any response, then ask
the next resource (ldap).
So the question is simple
¿How I can avoid that certain local users (as postifx, clamav or
www-data) asks to ldap resource ?
Obviously, I still needing the ldap resource in nsswitch.conf to
validate correctly the users that _exists_ in LDAP server.
More useful info:
// server OpenLDAP version
# dpkg -l | grep slapd
ii slapd 2.4.11-1 OpenLDAP
server (slapd)
// client NSS-LDAP version
# dpkg -l | grep libnss-ldap
ii libnss-ldap 261-2.1 NSS
module for using LDAP as a naming service
--
Thanks,
Jordi Espasa Clofent
- [nssldap] Avoid LDAP queries of some users?,
Jordi Espasa Clofent