Re: [nssldap] Avoid LDAP queries of some users?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Avoid LDAP queries of some users?
- From: Guillaume Rousse <Guillaume.Rousse [at] inria.fr>
- To: Jordi Espasa Clofent <jespasac [at] minibofh.org>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Avoid LDAP queries of some users?
- Date: Mon, 24 Aug 2009 12:28:04 +0200
Jordi Espasa Clofent a écrit :
My /etc/nsswitch.conf looks like:
# cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The way that the things happen is simple: the client ask for something
in files resources (local system) and if not get any response, then ask
the next resource (ldap).
That's one classical nss trap. Whereas what you describe is the only
documented behaviour in nsswitch.conf man page, some functions call
behave differently. In particular, initgroups() always use all resources
available, because a local user could also have additional groups in
other databases.
So the question is simple
¿How I can avoid that certain local users (as postifx, clamav or
www-data) asks to ldap resource ?
You may use nss_initgroups_ignoreusers directive for nss_ldap, which is
painful because you have to lists all users explicitely, there is no way
to tell 'all users with uid < 500'.
Alternatively, you may try to change nss behaviour this way, if you
never mix local users and ldap groups (untested):
group: files [SUCCESS=return] ldap
--
BOFH excuse #61:
not approved by the FCC
