On Tue, 12 Sep 2006, Daniel Cross wrote:
> Hello all,
>
> I seem to be having some issues with getting auth requests to not lookup
> the ldap server if the account is local and have tried everthing and am
> stumped. Heres a rundown...
>
> What I'm doing:
> I have a pair of LDAP boxes, which ~thirty systems are looking up for
> authentication via LDAP. Auth all works well. No issues there.
>
> The issue, however is that..
> Even with local system accounts (root, www-data, postfix, etc), the
> systems are still contacting the LDAP servers, and I just don't see why
> (considering I have Files specified first in nsswitch.conf and
> pam_unix.so first in all the pam confs).
> Ideally, if the accounts are local, I'd like the systems to say 'ok, we
> have our account, now lets not query the LDAP server'
>
> Anyhow, heres my confs:
> nsswitch.conf-
> passwd: files ldap
> group: files ldap
When a user logs in, the function initgroups() is called by the login
process. This function tries to enumerate *all* the groups a user is a
member of. So, it will always contact LDAP if you have "ldap" listed in
nsswitch.conf under "group".
However, in nss-ldap v245, the following was added to address this:
* add nss_initgroups_ignoreusers parameter to ldap.conf,
returns NOTFOUND if nss_ldap's initgroups() is called
for users (comma separated)
This should finally solve the local logon-as-root-when-directory-
is-down problem. Try putting "nss_initgroups_ignoreusers root" in
/etc/ldap.conf.
It looks like you have 2 options:
1. Remove "ldap" from the "group" entry in nsswitch.conf.
2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option.
Andy
