Re: Issue with resolving groups with nss_ldap: msg#00003 ldap.padl.nss

Erik Logtenberg wrote:

Hi,

I have configured an OpenLDAP server, which will be used to resolve my
users and groups. I use nss_ldap for this and pam_ldap for authentication.
Now I run into a bit of a problem: when the LDAP server is down, my
groups cannot be resolved. Even the groups that are not in LDAP but in
/etc/group. My configuration is as follows:

== snippet from /etc/nsswitch.conf:
group: files ldap

== snippet from /etc/group
ldap:x:439:ldap

== snippet from /etc/passwd
ldap:x:439:439:OpenLDAP:/usr/lib64/openldap:/usr/sbin/nologin

Now when I do something like "id ldap", it gives me the right results:

# id ldap
uid=439(ldap) gid=439(ldap) groups=439(ldap)

This information is fetched from /etc/passwd and /etc/group and not from
LDAP. The ldap user and group are not mentioned in the LDAP tree. This
is correct behaviour. Also when I try to resolve a user or group that is
in LDAP, it also works correctly.

Now, when I stop my LDAP server, things stop working. I cannot do "id
ldap" anymore,

even though all information it needs are stored in local
files.

How do you know that? ldap might also be a member of groups defined in the ldap database, so it must also be queried.

When I change my /etc/nsswitch.conf file to this, it works again:

== snippet from /etc/nsswitch.conf:
group: files

So, to analyze this, I started my LDAP server again, changed the
nsswitch.conf back to "files ldap" and did: "strace id ldap".
I see that it contacts LDAP *first* and then reads /etc/group. This
issue is not with users, it reads users from /etc/passwd first and
doesn't contact LDAP for users that it has already found in /etc/passwd.

Ofcourse you already noticed that the test-user in this case is the
'ldap' user. This is because OpenLDAP runs as ldap user and ldap group.
OpenLDAP can't start because nss_ldap tries to resolve the ldap user
from LDAP first, before it can even start the OpenLDAP service.

I hope someone can tell me if this is a configuration error on my side,
or a bug in nss_ldap?

Kind regards,

Erik logtenberg.

P.S. This is nss_ldap 249.

--

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax : -3341

Previous by Date:	Re: Issue with resolving groups with nss_ldap: 00003, Erik Logtenberg
Next by Date:	Re: Issue with resolving groups with nss_ldap: 00003, Tony Earnshaw
Previous by Thread:	Re: Issue with resolving groups with nss_ldapi: 00003, Josh Miller
Next by Thread:	Re: Issue with resolving groups with nss_ldap: 00003, Erik Logtenberg
Indexes:	[Date] [Thread] [Top] [All Lists]