On Tue, 12 Sep 2006, Daniel Cross wrote:
Hello all,
I seem to be having some issues with getting auth requests to not lookup
the ldap server if the account is local and have tried everthing and am
stumped. Heres a rundown...
What I'm doing:
I have a pair of LDAP boxes, which ~thirty systems are looking up for
authentication via LDAP. Auth all works well. No issues there.
The issue, however is that..
Even with local system accounts (root, www-data, postfix, etc), the
systems are still contacting the LDAP servers, and I just don't see why
(considering I have Files specified first in nsswitch.conf and
pam_unix.so first in all the pam confs).
Ideally, if the accounts are local, I'd like the systems to say 'ok, we
have our account, now lets not query the LDAP server'
Anyhow, heres my confs:
nsswitch.conf-
passwd: files ldap
group: files ldap
When a user logs in, the function initgroups() is called by the login
process. This function tries to enumerate *all* the groups a user is a
member of. So, it will always contact LDAP if you have "ldap" listed in
nsswitch.conf under "group".
However, in nss-ldap v245, the following was added to address this:
* add nss_initgroups_ignoreusers parameter to ldap.conf,
returns NOTFOUND if nss_ldap's initgroups() is called
for users (comma separated)
This should finally solve the local logon-as-root-when-directory-
is-down problem. Try putting "nss_initgroups_ignoreusers root" in
/etc/ldap.conf.
It looks like you have 2 options:
1. Remove "ldap" from the "group" entry in nsswitch.conf.
2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option.
Andy
|
