|
|
Subject: Re: nsswitch.conf issues with LDAP Auth? - msg#00014
On Tue, 12 Sep 2006, Daniel Cross wrote:
Hello all,
I seem to be having some issues with getting auth requests to not lookup
the ldap server if the account is local and have tried everthing and am
stumped. Heres a rundown...
What I'm doing:
I have a pair of LDAP boxes, which ~thirty systems are looking up for
authentication via LDAP. Auth all works well. No issues there.
The issue, however is that..
Even with local system accounts (root, www-data, postfix, etc), the
systems are still contacting the LDAP servers, and I just don't see why
(considering I have Files specified first in nsswitch.conf and
pam_unix.so first in all the pam confs).
Ideally, if the accounts are local, I'd like the systems to say 'ok, we
have our account, now lets not query the LDAP server'
Anyhow, heres my confs:
nsswitch.conf-
passwd: files ldap
group: files ldap
When a user logs in, the function initgroups() is called by the login
process. This function tries to enumerate *all* the groups a user is a
member of. So, it will always contact LDAP if you have "ldap" listed in
nsswitch.conf under "group".
However, in nss-ldap v245, the following was added to address this:
* add nss_initgroups_ignoreusers parameter to ldap.conf,
returns NOTFOUND if nss_ldap's initgroups() is called
for users (comma separated)
This should finally solve the local logon-as-root-when-directory-
is-down problem. Try putting "nss_initgroups_ignoreusers root" in
/etc/ldap.conf.
It looks like you have 2 options:
1. Remove "ldap" from the "group" entry in nsswitch.conf.
2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option.
Andy
Thread at a glance:
Previous Message by Date:
Re: nsswitch.conf issues with LDAP Auth?
The big reason why ldap is still contacted is to find out if the user is
in any ldap groups. Since a user can be in a large number of groups,
local and directory based, it has to contact them to figure out which
ones. I have implemented the following configuration as part of my
ldap.conf to reduce the dependency on ldap when disasters occur:
timelimit 15
bind_timelimit 15
bind_policy soft
nss_initgroups_ignoreusers root,ldap
From the man page for nss_initgroups_ignoreusers:
nss_initgroups_ignoreusers <user1,user2,...,userN>
This option directs the nss_ldap implementation of
initgroups(3) to return NSS_STATUS_NOTFOUND if called with a listed
users as its argument.
And this prevents a dependency upon ldap for those listed users.
- Josh, RHCE
Daniel Cross wrote:
Hello all,
I seem to be having some issues with getting auth requests to not lookup
the ldap server if the account is local and have tried everthing and am
stumped. Heres a rundown...
What I'm doing:
I have a pair of LDAP boxes, which ~thirty systems are looking up for
authentication via LDAP. Auth all works well. No issues there.
The issue, however is that..
Even with local system accounts (root, www-data, postfix, etc), the
systems are still contacting the LDAP servers, and I just don't see why
(considering I have Files specified first in nsswitch.conf and
pam_unix.so first in all the pam confs).
Ideally, if the accounts are local, I'd like the systems to say 'ok, we
have our account, now lets not query the LDAP server'
Anyhow, heres my confs:
nsswitch.conf-
passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
common-auth:
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
auth required pam_permit.so
common-account:
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_permit.so
common-password:
password sufficient pam_unix.so nullok md5 shadow obscure min=4
max=8
password sufficient pam_ldap.so use_first_pass
password required pam_permit.so
common-session:
session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session sufficient pam_unix.so
session sufficient pam_ldap.so
Oh, and software versions:
libldap2 2.1.30-3
libnss-ldap 238-1
libpam-ldap 180-1
Soooo, anyone seen the same symptoms?
Any ideas or sugestions would be very helpful
Regards,
Next Message by Date:
Re: nsswitch.conf issues with LDAP Auth?
On Tue, 2006-09-12 at 09:35 -0700, Andrew Morgan wrote:
> When a user logs in, the function initgroups() is called by the login
> process. This function tries to enumerate *all* the groups a user is a
> member of. So, it will always contact LDAP if you have "ldap" listed in
> nsswitch.conf under "group".
>
> However, in nss-ldap v245, the following was added to address this:
>
> * add nss_initgroups_ignoreusers parameter to ldap.conf,
> returns NOTFOUND if nss_ldap's initgroups() is called
> for users (comma separated)
>
> This should finally solve the local logon-as-root-when-directory-
> is-down problem. Try putting "nss_initgroups_ignoreusers root" in
> /etc/ldap.conf.
>
> It looks like you have 2 options:
>
> 1. Remove "ldap" from the "group" entry in nsswitch.conf.
> 2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option
Argh! Of course. Thanks for pointing this out to me guys. Very helpful.
Now to update to v245 (there was some (forgotten) issue I had
encountered when originally trying this version, so maybe you'll hear
from me again)
- Dan
Previous Message by Thread:
Re: nsswitch.conf issues with LDAP Auth?
The big reason why ldap is still contacted is to find out if the user is
in any ldap groups. Since a user can be in a large number of groups,
local and directory based, it has to contact them to figure out which
ones. I have implemented the following configuration as part of my
ldap.conf to reduce the dependency on ldap when disasters occur:
timelimit 15
bind_timelimit 15
bind_policy soft
nss_initgroups_ignoreusers root,ldap
From the man page for nss_initgroups_ignoreusers:
nss_initgroups_ignoreusers <user1,user2,...,userN>
This option directs the nss_ldap implementation of
initgroups(3) to return NSS_STATUS_NOTFOUND if called with a listed
users as its argument.
And this prevents a dependency upon ldap for those listed users.
- Josh, RHCE
Daniel Cross wrote:
Hello all,
I seem to be having some issues with getting auth requests to not lookup
the ldap server if the account is local and have tried everthing and am
stumped. Heres a rundown...
What I'm doing:
I have a pair of LDAP boxes, which ~thirty systems are looking up for
authentication via LDAP. Auth all works well. No issues there.
The issue, however is that..
Even with local system accounts (root, www-data, postfix, etc), the
systems are still contacting the LDAP servers, and I just don't see why
(considering I have Files specified first in nsswitch.conf and
pam_unix.so first in all the pam confs).
Ideally, if the accounts are local, I'd like the systems to say 'ok, we
have our account, now lets not query the LDAP server'
Anyhow, heres my confs:
nsswitch.conf-
passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
common-auth:
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
auth required pam_permit.so
common-account:
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_permit.so
common-password:
password sufficient pam_unix.so nullok md5 shadow obscure min=4
max=8
password sufficient pam_ldap.so use_first_pass
password required pam_permit.so
common-session:
session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session sufficient pam_unix.so
session sufficient pam_ldap.so
Oh, and software versions:
libldap2 2.1.30-3
libnss-ldap 238-1
libpam-ldap 180-1
Soooo, anyone seen the same symptoms?
Any ideas or sugestions would be very helpful
Regards,
Next Message by Thread:
Re: nsswitch.conf issues with LDAP Auth?
On Tue, 2006-09-12 at 09:35 -0700, Andrew Morgan wrote:
> When a user logs in, the function initgroups() is called by the login
> process. This function tries to enumerate *all* the groups a user is a
> member of. So, it will always contact LDAP if you have "ldap" listed in
> nsswitch.conf under "group".
>
> However, in nss-ldap v245, the following was added to address this:
>
> * add nss_initgroups_ignoreusers parameter to ldap.conf,
> returns NOTFOUND if nss_ldap's initgroups() is called
> for users (comma separated)
>
> This should finally solve the local logon-as-root-when-directory-
> is-down problem. Try putting "nss_initgroups_ignoreusers root" in
> /etc/ldap.conf.
>
> It looks like you have 2 options:
>
> 1. Remove "ldap" from the "group" entry in nsswitch.conf.
> 2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option
Argh! Of course. Thanks for pointing this out to me guys. Very helpful.
Now to update to v245 (there was some (forgotten) issue I had
encountered when originally trying this version, so maybe you'll hear
from me again)
- Dan
|
|