Re: [nssldap] Avoid LDAP queries of some users?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Jordi Espasa Clofent <jespasac [at] minibofh.org>
To: nssldap [at] padl.com
Subject: Re: [nssldap] Avoid LDAP queries of some users?
Date: Mon, 24 Aug 2009 12:49:17 +0200

Guillaume Rousse escribió:

That's one classical nss trap. Whereas what you describe is the onlydocumented behaviour in nsswitch.conf man page, some functions callbehave differently. In particular, initgroups() always use all resourcesavailable, because a local user could also have additional groups inother databases.

Yes, I've searched in archive. As Howard Chu says here(1), it's theexpected behaviour in initgroup(3) function.

You may use nss_initgroups_ignoreusers directive for nss_ldap, which ispainful because you have to lists all users explicitely, there is no wayto tell 'all users with uid < 500'.


Mmmmm... ok. Maybe a simple Perl script can does it from me ;)

The question is ¿is there some limit in number of parameters (users) Ican put in nss_initgroup_ignoreusers directive? I'm thinking that I'vesome boxes with more than 800 local users...

Alternatively, you may try to change nss behaviour this way, if younever mix local users and ldap groups (untested):
group: files [SUCCESS=return] ldap

Mmmmm... I think that initgroups(3) function doesn't pay any attentionon this and always aks for to all listed resources in nsswitch.conf.


(1) http://marc.info/?l=nssldap&m=106326923508660&w=2

--
Thanks,
Jordi Espasa Clofent

[nssldap] Avoid LDAP queries of some users?, Jordi Espasa Clofent
- Re: [nssldap] Avoid LDAP queries of some users?, Guillaume Rousse
  - Re: [nssldap] Avoid LDAP queries of some users?, Jordi Espasa Clofent

Prev by Date: Re: [nssldap] Avoid LDAP queries of some users?
Next by Date: [nssldap] Does nss_ldap support user/group name mangling?
Previous by thread: Re: [nssldap] Avoid LDAP queries of some users?
Next by thread: [nssldap] Does nss_ldap support user/group name mangling?