nsswitch.conf issues with LDAP Auth?

Hello all,

I seem to be having some issues with getting auth requests to not lookup
the ldap server if the account is local and have tried everthing and am
stumped. Heres a rundown...

What I'm doing:
I have a pair of LDAP boxes, which ~thirty systems are looking up for
authentication via LDAP. Auth all works well. No issues there.

The issue, however is that..
Even with local system accounts (root, www-data, postfix, etc), the
systems are still contacting the LDAP servers, and I just don't see why
(considering I have Files specified first in nsswitch.conf and
pam_unix.so first in all the pam confs).
Ideally, if the accounts are local, I'd like the systems to say 'ok, we
have our account, now lets not query the LDAP server'

Anyhow, heres my confs:
nsswitch.conf-
passwd:         files ldap
group:          files ldap
shadow:         files ldap
sudoers:        files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

common-auth:
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_permit.so

common-account:
account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_permit.so

common-password:
password   sufficient   pam_unix.so nullok md5 shadow obscure min=4
max=8
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_permit.so

common-session:
session    optional     /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session    sufficient   pam_unix.so
session    sufficient   pam_ldap.so

Oh, and software versions:
libldap2       2.1.30-3
libnss-ldap    238-1
libpam-ldap    180-1

Soooo, anyone seen the same symptoms?
Any ideas or sugestions would be very helpful

Regards,

--
Daniel Cross                                    
Systems Administrator                           Cell +64 21535975
WorldxChange                                    DDI  +64 9 9501354

The big reason why ldap is still contacted is to find out if the user is
in any ldap groups.  Since a user can be in a large number of groups,
local and directory based, it has to contact them to figure out which
ones.  I have implemented the following configuration as part of my
ldap.conf to reduce the dependency on ldap when disasters occur:

  timelimit 15
  bind_timelimit 15
  bind_policy soft
  nss_initgroups_ignoreusers root,ldap

 From the man page for nss_initgroups_ignoreusers:

  nss_initgroups_ignoreusers <user1,user2,...,userN>
              This option directs the nss_ldap implementation of
initgroups(3) to return NSS_STATUS_NOTFOUND if called with a listed  
users as its argument.

And this prevents a dependency upon ldap for those listed users.

- Josh, RHCE

Daniel Cross wrote:

On Tue, 12 Sep 2006, Daniel Cross wrote:

When a user logs in, the function initgroups() is called by the login
process.  This function tries to enumerate *all* the groups a user is a
member of.  So, it will always contact LDAP if you have "ldap" listed in
nsswitch.conf under "group".

However, in nss-ldap v245, the following was added to address this:

         * add nss_initgroups_ignoreusers parameter to ldap.conf,
           returns NOTFOUND if nss_ldap's initgroups() is called
           for users (comma separated)

     This should finally solve the local logon-as-root-when-directory-
     is-down problem. Try putting "nss_initgroups_ignoreusers root" in
     /etc/ldap.conf.

It looks like you have 2 options:

1. Remove "ldap" from the "group" entry in nsswitch.conf.
2. Upgrade to nss-ldap v245 and use the nss_initgroups_ignoreusers option.

  Andy

On Tue, 2006-09-12 at 09:35 -0700, Andrew Morgan wrote:
Argh! Of course. Thanks for pointing this out to me guys. Very helpful.
Now to update to v245 (there was some (forgotten) issue I had
encountered when originally trying this version, so maybe you'll hear
from me again)

- Dan

On Tue, 2006-09-12 at 14:00 +1200, Daniel Cross wrote: *snip*
>
> Oh, and software versions:
> libldap2       2.1.30-3
> libnss-ldap    238-1
> libpam-ldap    180-1
>
> Soooo, anyone seen the same symptoms?
> Any ideas or sugestions would be very helpful

So.... the latest version of libnss-ldap from the Debian testing tree
(libnss-ldap 251-5.2) doesn't have this issue....

And I cannot see anything in the changelog that shows what this issue
was or why it now works.  Interesting.

But I've rolled it out onto our systems and all seems well.

Regards,

--
Daniel Cross                                    
Systems Administrator                           Cell +64 21535975
WorldxChange                                    DDI  +64 9 9501354

On Thu, 26 Oct 2006, Daniel Cross wrote:

Did you have:

group: files ldap

in your nsswitch.conf?

  Andy

On Wed, 2006-10-25 at 16:09 -0700, Andrew Morgan wrote:
> files

Damn, I sent this update in reply to the wrong thread.
And this had been covered quite extensively.  Yes, I did have 'group:
files ldap' (and out of interest how does updating libnss-ldap change
this file? I'd sure hope it doesn't!)

Regards,

--
Daniel Cross                                    
Systems Administrator                           Cell +64 21535975
WorldxChange                                    DDI  +64 9 9501354

On Thu, 26 Oct 2006, Daniel Cross wrote:

> On Wed, 2006-10-25 at 16:09 -0700, Andrew Morgan wrote:
>> files
>
> Damn, I sent this update in reply to the wrong thread.
> And this had been covered quite extensively.  Yes, I did have 'group:
> files ldap' (and out of interest how does updating libnss-ldap change
> this file? I'd sure hope it doesn't!)

I have no idea why updating to a newer nss-ldap would fix this either.  :)

There are some new options for restricting the group enumeration, but I've
never used them myself.  See the docs.

  Andy