Re: nss_ldap and openldap on the same server.
- From: Gerhard Schmidt <estartu@xxxxxxxxxx>
- Date: Tue, 13 Mar 2007 09:34:45 +0100
On Tue, Mar 13, 2007 at 09:08:34AM +0100, Joerg Pulz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 13 Mar 2007, Gerhard Schmidt wrote:
On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote:
On 3/12/07, Gerhard Schmidt <estartu@xxxxxxxxxx> wrote:
Hi,Hello,
As I see it, nss asks all sources even if the frist one allready knows
the
answer. Is there a way to change this.
man nsswitch.conf(5)
Look for Status codes and Actions
Doesn't work. Tried the follwing nsswitch.conf
group: files [success=return] ldap
hosts: files dns
networks: files
passwd: files [success=return] ldap
shells: files
This doesn't change the delay. And the nss_ldap timeout is still reported.
This is not supprising because the manpage states [success=return] is
default.
Seams there is a bug somewhere.
AFAICT, there is no bug.
The behavior is completely correct as a look into the openldap code turns
out.
When starting up slapd, it tries to switch the credentials to the user and
group specified, normally ldap:ldap. Therefor it uses getpwuid(3),
getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user
and group specified is okay, it then calls getuid(3) and initgroups(3).
Reading initgroups(3) turns out the following:
The initgroups() function uses the getgrouplist(3) function to calculate
the group access list for the user specified in name.
Reading getgrouplist(3) turns out the following:
The getgrouplist() function reads through the group file and calculates
the group access list for the user specified in name.
[...]
The getgrouplist() function uses the routines based on getgrent(3).
Reading getgrent(3) turns out the following:
The getgrent() function sequentially reads the group database and is
intended for programs that wish to step through the complete list of
groups.
[...]
The getgrent() and getgrent_r() functions make no attempt to suppress
duplicate information if multiple sources are specified in
nsswitch.conf(5).
So after following the way through all man pages, it turns out that the
behavior is fully correct as a lookup is done to find out all groups to
which the specified slapd user belongs to. This includes lookups using
nss_ldap when ldap is configured as source for groups in nsswitch.conf.
As a side note, a short look into the bind and cron source turns out that
these, and probably others too, also use the initgroups(3) function.
yes. But still there is something missing. The Admin should have controll
over this behavior. The reasonable default action for groups should be
success=continue to go though all group sources. But the admin should
still have the posibility to stop the process on success which is not
possible right now.
Bye
Estartu
--
----------------------------------------------------------------------------
Gerhard Schmidt | Nick : estartu IRC : Estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | EMail: estartu@xxxxxxxxxx | on request
Germany | |
Attachment:
pgpESMtKfJ0DJ.pgp
Description: PGP signature
- References:
- nss_ldap and openldap on the same server.
- From: Gerhard Schmidt
- Re: nss_ldap and openldap on the same server.
- From: Pietro Cerutti
- Re: nss_ldap and openldap on the same server.
- From: Gerhard Schmidt
- Re: nss_ldap and openldap on the same server.
- From: Joerg Pulz
- nss_ldap and openldap on the same server.
- Prev by Date: dmesg and GIANT-LOCK
- Next by Date: Re: No matter what I try I can't get Nvidia 3d acceleration to work. Please help!
- Previous by thread: Re: nss_ldap and openldap on the same server.
- Next by thread: rebuilding world
- Index(es):
Relevant Pages
|
