On Tue, 2006-09-12 at 09:35 -0700, Andrew Morgan wrote:
> When a user logs in, the function initgroups() is called by the login
> process. This function tries to enumerate *all* the groups a user is a
> member of. So, it will always contact LDAP if you have "ldap" listed in
> nsswitch.conf under "group".
>
> However, in nss-ldap v245, the following was added to address this:
>
> * add nss_initgroups_ignoreusers parameter to ldap.conf,
> returns NOTFOUND if nss_ldap's initgroups() is called
> for users (comma separated)
>
> This should finally solve the local logon-as-root-when-directory-
> is-down problem. Try putting "nss_initgroups_ignoreusers root" in
> /etc/ldap.conf.
>
> It looks like you have 2 options:
>
> 1. Remove "ldap" from the "group" entry in nsswitch.conf.
> 2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option
Argh! Of course. Thanks for pointing this out to me guys. Very helpful.
Now to update to v245 (there was some (forgotten) issue I had
encountered when originally trying this version, so maybe you'll hear
from me again)
- Dan
