LDAP
 » 
PADL Lists
 » 
NSS LDAP

Avoid LDAP queries of some users?

View: New views
4 Messages — Rating Filter:   Alert me  

Avoid LDAP queries of some users?

by Jordi Espasa Clofent-5 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi all,

I've an OpenLDAP as account server (only for sshd acces, using PAM). All
works fine, but in LDAP server logs I see a lot of LDAP queries from
users that don't exist in LDAP database (as www-data, posfix or clamav):

// user www-data
# cat /var/log/syslog | grep www-data | tail
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"

// user postfix
# cat /var/log/syslog | grep postfix | tail
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"

// user clamav
# cat /var/log/syslog | grep clam | tail
Aug 24 09:21:44 xen-ldap03 slapd[9785]: conn=4065713 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:22:34 xen-ldap03 slapd[9785]: conn=4066846 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:24:50 xen-ldap03 slapd[9785]: conn=4068425 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:43:44 xen-ldap03 slapd[9785]: conn=4083805 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:49:50 xen-ldap03 slapd[9785]: conn=4088652 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089003 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089004 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089042 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089052 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:23 xen-ldap03 slapd[9785]: conn=4089067 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"

¿Why the client system ask to  LDAP server for users as www-data,
postfix or clamav? They don't exists in LDAP database.

My /etc/nsswitch.conf looks like:

# cat /etc/nsswitch.conf

passwd:         files ldap
group:           files ldap
shadow:        files ldap

sudoers:        ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

The way that the things happen is simple: the client ask for something
in files resources (local system) and if not get any response, then ask
the next resource (ldap).

So the question is simple
¿How I can avoid that certain local users (as postifx, clamav or
www-data) asks to ldap resource ?

Obviously, I still needing the ldap resource in nsswitch.conf to
validate correctly the users that _exists_ in LDAP server.

More useful info:

// server OpenLDAP version
# dpkg -l | grep slapd
ii  slapd                            2.4.11-1                OpenLDAP
server (slapd)

// client NSS-LDAP version
# dpkg -l | grep libnss-ldap
ii  libnss-ldap                      261-2.1                    NSS
module for using LDAP as a naming service


--
Thanks,
Jordi Espasa Clofent

Re: Avoid LDAP queries of some users?

by guillomovitch :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Jordi Espasa Clofent a écrit :

> My /etc/nsswitch.conf looks like:
>
> # cat /etc/nsswitch.conf
>
> passwd:         files ldap
> group:           files ldap
> shadow:        files ldap
>
> sudoers:        ldap
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> The way that the things happen is simple: the client ask for something
> in files resources (local system) and if not get any response, then ask
> the next resource (ldap).
That's one classical nss trap. Whereas what you describe is the only
documented behaviour in nsswitch.conf man page, some functions call
behave differently. In particular, initgroups() always use all resources
available, because a local user could also have additional groups in
other databases.

> So the question is simple
> ¿How I can avoid that certain local users (as postifx, clamav or
> www-data) asks to ldap resource ?
You may use nss_initgroups_ignoreusers directive for nss_ldap, which is
painful because you have to lists all users explicitely, there is no way
to tell 'all users with uid < 500'.

Alternatively, you may try to change nss behaviour this way, if you
never mix local users and ldap groups (untested):
group: files [SUCCESS=return] ldap
--
BOFH excuse #61:

not approved by the FCC

Re: Avoid LDAP queries of some users?

by Jordi Espasa Clofent-5 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Guillaume Rousse escribió:
> That's one classical nss trap. Whereas what you describe is the only
> documented behaviour in nsswitch.conf man page, some functions call
> behave differently. In particular, initgroups() always use all resources
> available, because a local user could also have additional groups in
> other databases.

Yes, I've searched in archive. As Howard Chu says here(1), it's the
expected behaviour in initgroup(3) function.

> You may use nss_initgroups_ignoreusers directive for nss_ldap, which is
> painful because you have to lists all users explicitely, there is no way
> to tell 'all users with uid < 500'.

Mmmmm... ok. Maybe a simple Perl script can does it from me ;)
The question is ¿is there some limit in number of parameters (users) I
can put in nss_initgroup_ignoreusers directive? I'm thinking that I've
some boxes with more than 800 local users...

> Alternatively, you may try to change nss behaviour this way, if you
> never mix local users and ldap groups (untested):
> group: files [SUCCESS=return] ldap

Mmmmm... I think that initgroups(3) function doesn't pay any attention
on this and always aks for to all listed resources in nsswitch.conf.

(1) http://marc.info/?l=nssldap&m=106326923508660&w=2

--
Thanks,
Jordi Espasa Clofent

Re: Avoid LDAP queries of some users?

by JeffH :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi I have same problem.
I put nss_initgroups_ignoreusers root in /etc/ldap.conf, but system still query LDAP server. Any idea?

Thanks!

Jordi Espasa Clofent-5 wrote:
Hi all,

I've an OpenLDAP as account server (only for sshd acces, using PAM). All
works fine, but in LDAP server logs I see a lot of LDAP queries from
users that don't exist in LDAP database (as www-data, posfix or clamav):

// user www-data
# cat /var/log/syslog | grep www-data | tail
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089908 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089909 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089912 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089910 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"
Aug 24 10:23:54 xen-ldap03 slapd[9785]: conn=4089911 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=www-data))"

// user postfix
# cat /var/log/syslog | grep postfix | tail
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:54:07 xen-ldap03 slapd[9785]: conn=4090105 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090123 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090124 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:57:42 xen-ldap03 slapd[9785]: conn=4090125 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postfix))"
Aug 24 10:59:06 xen-ldap03 slapd[9785]: conn=4090138 op=3 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=postfix))"

// user clamav
# cat /var/log/syslog | grep clam | tail
Aug 24 09:21:44 xen-ldap03 slapd[9785]: conn=4065713 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:22:34 xen-ldap03 slapd[9785]: conn=4066846 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:24:50 xen-ldap03 slapd[9785]: conn=4068425 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:43:44 xen-ldap03 slapd[9785]: conn=4083805 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:49:50 xen-ldap03 slapd[9785]: conn=4088652 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089003 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:21 xen-ldap03 slapd[9785]: conn=4089004 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089042 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:22 xen-ldap03 slapd[9785]: conn=4089052 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"
Aug 24 09:50:23 xen-ldap03 slapd[9785]: conn=4089067 op=2 SRCH
base="dc=cdmon,dc=com" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=clamav))"

¿Why the client system ask to  LDAP server for users as www-data,
postfix or clamav? They don't exists in LDAP database.

My /etc/nsswitch.conf looks like:

# cat /etc/nsswitch.conf

passwd:         files ldap
group:           files ldap
shadow:        files ldap

sudoers:        ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

The way that the things happen is simple: the client ask for something
in files resources (local system) and if not get any response, then ask
the next resource (ldap).

So the question is simple
¿How I can avoid that certain local users (as postifx, clamav or
www-data) asks to ldap resource ?

Obviously, I still needing the ldap resource in nsswitch.conf to
validate correctly the users that _exists_ in LDAP server.

More useful info:

// server OpenLDAP version
# dpkg -l | grep slapd
ii  slapd                            2.4.11-1                OpenLDAP
server (slapd)

// client NSS-LDAP version
# dpkg -l | grep libnss-ldap
ii  libnss-ldap                      261-2.1                    NSS
module for using LDAP as a naming service


--
Thanks,
Jordi Espasa Clofent
Free embeddable forum powered by Nabble Forum Help