Re: nsswitch.conf issues with LDAP Auth?

On Tue, 2006-09-12 at 09:35 -0700, Andrew Morgan wrote:
> When a user logs in, the function initgroups() is called by the login 
> process.  This function tries to enumerate *all* the groups a user is a 
> member of.  So, it will always contact LDAP if you have "ldap" listed in 
> nsswitch.conf under "group".
> 
> However, in nss-ldap v245, the following was added to address this:
> 
>          * add nss_initgroups_ignoreusers parameter to ldap.conf,
>            returns NOTFOUND if nss_ldap's initgroups() is called
>            for users (comma separated)
> 
>      This should finally solve the local logon-as-root-when-directory-
>      is-down problem. Try putting "nss_initgroups_ignoreusers root" in
>      /etc/ldap.conf.
> 
> It looks like you have 2 options:
> 
> 1. Remove "ldap" from the "group" entry in nsswitch.conf.
> 2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option

Argh! Of course. Thanks for pointing this out to me guys. Very helpful.
Now to update to v245 (there was some (forgotten) issue I had
encountered when originally trying this version, so maybe you'll hear
from me again)

- Dan