Re: nsswitch.conf issues with LDAP Auth?

On Tue, 12 Sep 2006, Daniel Cross wrote:

> Hello all,
>
> I seem to be having some issues with getting auth requests to not lookup
> the ldap server if the account is local and have tried everthing and am
> stumped. Heres a rundown...
>
> What I'm doing:
> I have a pair of LDAP boxes, which ~thirty systems are looking up for
> authentication via LDAP. Auth all works well. No issues there.
>
> The issue, however is that..
> Even with local system accounts (root, www-data, postfix, etc), the
> systems are still contacting the LDAP servers, and I just don't see why
> (considering I have Files specified first in nsswitch.conf and
> pam_unix.so first in all the pam confs).
> Ideally, if the accounts are local, I'd like the systems to say 'ok, we
> have our account, now lets not query the LDAP server'
>
> Anyhow, heres my confs:
> nsswitch.conf-
> passwd:         files ldap
> group:          files ldap

When a user logs in, the function initgroups() is called by the login 
process.  This function tries to enumerate *all* the groups a user is a 
member of.  So, it will always contact LDAP if you have "ldap" listed in 
nsswitch.conf under "group".

However, in nss-ldap v245, the following was added to address this:

        * add nss_initgroups_ignoreusers parameter to ldap.conf,
          returns NOTFOUND if nss_ldap's initgroups() is called
          for users (comma separated)

    This should finally solve the local logon-as-root-when-directory-
    is-down problem. Try putting "nss_initgroups_ignoreusers root" in
    /etc/ldap.conf.

It looks like you have 2 options:

1. Remove "ldap" from the "group" entry in nsswitch.conf.
2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option.

        Andy