|
»
»
« Return to Thread: nsswitch.conf issues with LDAP Auth?
Re: nsswitch.conf issues with LDAP Auth?
by Josh Miller
::
Rate this Message:
The big reason why ldap is still contacted is to find out if the user is
in any ldap groups. Since a user can be in a large number of groups,
local and directory based, it has to contact them to figure out which
ones. I have implemented the following configuration as part of my
ldap.conf to reduce the dependency on ldap when disasters occur:
timelimit 15
bind_timelimit 15
bind_policy soft
nss_initgroups_ignoreusers root,ldap
From the man page for nss_initgroups_ignoreusers:
nss_initgroups_ignoreusers <user1,user2,...,userN>
This option directs the nss_ldap implementation of
initgroups(3) to return NSS_STATUS_NOTFOUND if called with a listed
users as its argument.
And this prevents a dependency upon ldap for those listed users.
- Josh, RHCE
Daniel Cross wrote:
> Hello all,
>
> I seem to be having some issues with getting auth requests to not lookup
> the ldap server if the account is local and have tried everthing and am
> stumped. Heres a rundown...
>
> What I'm doing:
> I have a pair of LDAP boxes, which ~thirty systems are looking up for
> authentication via LDAP. Auth all works well. No issues there.
>
> The issue, however is that..
> Even with local system accounts (root, www-data, postfix, etc), the
> systems are still contacting the LDAP servers, and I just don't see why
> (considering I have Files specified first in nsswitch.conf and
> pam_unix.so first in all the pam confs).
> Ideally, if the accounts are local, I'd like the systems to say 'ok, we
> have our account, now lets not query the LDAP server'
>
> Anyhow, heres my confs:
> nsswitch.conf-
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> sudoers: files ldap
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> common-auth:
> auth sufficient pam_unix.so nullok_secure
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_permit.so
>
> common-account:
> account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_permit.so
>
> common-password:
> password sufficient pam_unix.so nullok md5 shadow obscure min=4
> max=8
> password sufficient pam_ldap.so use_first_pass
> password required pam_permit.so
>
> common-session:
> session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
> umask=0022
> session sufficient pam_unix.so
> session sufficient pam_ldap.so
>
> Oh, and software versions:
> libldap2 2.1.30-3
> libnss-ldap 238-1
> libpam-ldap 180-1
>
> Soooo, anyone seen the same symptoms?
> Any ideas or sugestions would be very helpful
>
> Regards,
>
>
in any ldap groups. Since a user can be in a large number of groups,
local and directory based, it has to contact them to figure out which
ones. I have implemented the following configuration as part of my
ldap.conf to reduce the dependency on ldap when disasters occur:
timelimit 15
bind_timelimit 15
bind_policy soft
nss_initgroups_ignoreusers root,ldap
From the man page for nss_initgroups_ignoreusers:
nss_initgroups_ignoreusers <user1,user2,...,userN>
This option directs the nss_ldap implementation of
initgroups(3) to return NSS_STATUS_NOTFOUND if called with a listed
users as its argument.
And this prevents a dependency upon ldap for those listed users.
- Josh, RHCE
Daniel Cross wrote:
> Hello all,
>
> I seem to be having some issues with getting auth requests to not lookup
> the ldap server if the account is local and have tried everthing and am
> stumped. Heres a rundown...
>
> What I'm doing:
> I have a pair of LDAP boxes, which ~thirty systems are looking up for
> authentication via LDAP. Auth all works well. No issues there.
>
> The issue, however is that..
> Even with local system accounts (root, www-data, postfix, etc), the
> systems are still contacting the LDAP servers, and I just don't see why
> (considering I have Files specified first in nsswitch.conf and
> pam_unix.so first in all the pam confs).
> Ideally, if the accounts are local, I'd like the systems to say 'ok, we
> have our account, now lets not query the LDAP server'
>
> Anyhow, heres my confs:
> nsswitch.conf-
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> sudoers: files ldap
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> common-auth:
> auth sufficient pam_unix.so nullok_secure
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_permit.so
>
> common-account:
> account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_permit.so
>
> common-password:
> password sufficient pam_unix.so nullok md5 shadow obscure min=4
> max=8
> password sufficient pam_ldap.so use_first_pass
> password required pam_permit.so
>
> common-session:
> session optional /lib/security/pam_mkhomedir.so skel=/etc/skel
> umask=0022
> session sufficient pam_unix.so
> session sufficient pam_ldap.so
>
> Oh, and software versions:
> libldap2 2.1.30-3
> libnss-ldap 238-1
> libpam-ldap 180-1
>
> Soooo, anyone seen the same symptoms?
> Any ideas or sugestions would be very helpful
>
> Regards,
>
>
« Return to Thread: nsswitch.conf issues with LDAP Auth?
| Free embeddable forum powered by Nabble | Forum Help |
