From owner-freebsd-questions@FreeBSD.ORG Tue Mar 13 08:34:46 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BF91016A401 for ; Tue, 13 Mar 2007 08:34:46 +0000 (UTC) (envelope-from estartu@etustar.ze.tum.de) Received: from titan.ze.tum.de (titan.ze.tum.de [129.187.39.12]) by mx1.freebsd.org (Postfix) with ESMTP id 7010F13C4B7 for ; Tue, 13 Mar 2007 08:34:46 +0000 (UTC) (envelope-from estartu@etustar.ze.tum.de) Received: from etustar.ze.tum.de (etustar.ze.tum.de [129.187.39.96]) by titan.ze.tum.de (8.13.4/8.12.10) with ESMTP id l2D8YjRO074327; Tue, 13 Mar 2007 09:34:45 +0100 (CET) (envelope-from estartu@etustar.ze.tum.de) Received: from etustar.ze.tum.de (localhost [127.0.0.1]) by etustar.ze.tum.de (8.13.8/8.13.6) with ESMTP id l2D8YjOx021101; Tue, 13 Mar 2007 09:34:45 +0100 (CET) (envelope-from estartu@etustar.ze.tum.de) Received: (from estartu@localhost) by etustar.ze.tum.de (8.13.8/8.13.6/Submit) id l2D8Yj2C021100; Tue, 13 Mar 2007 09:34:45 +0100 (CET) (envelope-from estartu) Date: Tue, 13 Mar 2007 09:34:45 +0100 From: Gerhard Schmidt To: Joerg Pulz Message-ID: <20070313083445.GB20341@augusta.de> References: <20070312141915.GA1842@augusta.de> <20070313071641.GA18856@augusta.de> <20070313084157.E17772@unqrf.nqzva.sez2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN" Content-Disposition: inline In-Reply-To: <20070313084157.E17772@unqrf.nqzva.sez2> User-Agent: Mutt/1.4.2.2i Cc: freebsd-questions@freebsd.org Subject: Re: nss_ldap and openldap on the same server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2007 08:34:46 -0000 --GID0FwUMdk1T2AWN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2007 at 09:08:34AM +0100, Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >=20 > On Tue, 13 Mar 2007, Gerhard Schmidt wrote: >=20 > >On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > >>On 3/12/07, Gerhard Schmidt wrote: > >>>Hi, > >>Hello, > >> > >>>As I see it, nss asks all sources even if the frist one allready knows= =20 > >>>the > >>>answer. Is there a way to change this. > >> > >>man nsswitch.conf(5) > >>Look for Status codes and Actions > > > >Doesn't work. Tried the follwing nsswitch.conf > >group: files [success=3Dreturn] ldap > >hosts: files dns > >networks: files > >passwd: files [success=3Dreturn] ldap > >shells: files > > > >This doesn't change the delay. And the nss_ldap timeout is still reporte= d. > >This is not supprising because the manpage states [success=3Dreturn] is > >default. > > > >Seams there is a bug somewhere. >=20 > AFAICT, there is no bug. > The behavior is completely correct as a look into the openldap code turns= =20 > out. > When starting up slapd, it tries to switch the credentials to the user an= d=20 > group specified, normally ldap:ldap. Therefor it uses getpwuid(3),=20 > getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the use= r=20 > and group specified is okay, it then calls getuid(3) and initgroups(3). > Reading initgroups(3) turns out the following: >=20 > The initgroups() function uses the getgrouplist(3) function to calculate > the group access list for the user specified in name. >=20 > Reading getgrouplist(3) turns out the following: >=20 > The getgrouplist() function reads through the group file and calculates > the group access list for the user specified in name. > [...] > The getgrouplist() function uses the routines based on getgrent(3). >=20 > Reading getgrent(3) turns out the following: >=20 > The getgrent() function sequentially reads the group database and is > intended for programs that wish to step through the complete list of > groups. > [...] > The getgrent() and getgrent_r() functions make no attempt to suppress=20 > duplicate information if multiple sources are specified in=20 > nsswitch.conf(5). >=20 > So after following the way through all man pages, it turns out that the= =20 > behavior is fully correct as a lookup is done to find out all groups to= =20 > which the specified slapd user belongs to. This includes lookups using=20 > nss_ldap when ldap is configured as source for groups in nsswitch.conf. >=20 > As a side note, a short look into the bind and cron source turns out that= =20 > these, and probably others too, also use the initgroups(3) function. yes. But still there is something missing. The Admin should have controll over this behavior. The reasonable default action for groups should be=20 success=3Dcontinue to go though all group sources. But the admin should still have the posibility to stop the process on success which is not possible right now. =20 Bye Estartu --=20 ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: estartu@augusta.de | on request=20 Germany | | =20 --GID0FwUMdk1T2AWN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iQCVAwUBRfZiJQzx22nOTJQRAQI6pAQApBwe7Z3S2QBpuzqfaqF3hctorE9qD8v8 W3vSMe6HZATJZ32gbcKVSROg29LlUKTyqxsqF8KXAxRd6TpfA2HmJ4sV7hGq9aYe Gulyb4pyew3amZH/CR1tGcySVgm8DarLaE0LfljpexkLfm3tJFzxZl/1ZPbx3bQm raZ4XOAjp2M= =/zQR -----END PGP SIGNATURE----- --GID0FwUMdk1T2AWN--