Re: [nssldap] Avoid LDAP queries of some users?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Avoid LDAP queries of some users?
- From: Jordi Espasa Clofent <jespasac [at] minibofh.org>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] Avoid LDAP queries of some users?
- Date: Mon, 24 Aug 2009 12:49:17 +0200
Guillaume Rousse escribió:
That's one classical nss trap. Whereas what you describe is the only
documented behaviour in nsswitch.conf man page, some functions call
behave differently. In particular, initgroups() always use all resources
available, because a local user could also have additional groups in
other databases.
Yes, I've searched in archive. As Howard Chu says here(1), it's the
expected behaviour in initgroup(3) function.
You may use nss_initgroups_ignoreusers directive for nss_ldap, which is
painful because you have to lists all users explicitely, there is no way
to tell 'all users with uid < 500'.
Mmmmm... ok. Maybe a simple Perl script can does it from me ;)
The question is ¿is there some limit in number of parameters (users) I
can put in nss_initgroup_ignoreusers directive? I'm thinking that I've
some boxes with more than 800 local users...
Alternatively, you may try to change nss behaviour this way, if you
never mix local users and ldap groups (untested):
group: files [SUCCESS=return] ldap
Mmmmm... I think that initgroups(3) function doesn't pay any attention
on this and always aks for to all listed resources in nsswitch.conf.
(1) http://marc.info/?l=nssldap&m=106326923508660&w=2
--
Thanks,
Jordi Espasa Clofent