Date: Fri, 7 Aug 2009 09:36:13 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Jordi Espasa Clofent <jespasac@minibofh.org> Cc: freebsd-stable@freebsd.org Subject: Re: nsswitch.conf bad configuration? Message-ID: <20090807143613.GB54485@dan.emsphone.com> In-Reply-To: <4A7C1FB5.3000908@minibofh.org> References: <4A7C1FB5.3000908@minibofh.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 07), Jordi Espasa Clofent said:
> Hi all,
>
> I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized
> LDAP account server. All works fine, but I can see in LDAP logs:
>
> # cat /var/log/syslog | grep uid= | awk '{print $12}'
[...]
> filter="(&(objectClass=posixAccount)(uid=root))"
> filter="(&(objectClass=posixAccount)(uid=oscar))"
> filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))"
> filter="(&(objectClass=posixAccount)(uid=root))"
> filter="(&(objectClass=posixAccount)(uid=root))"
>
> You can see the difference between user 'oscar? (exists in LDAP ddbb) and
> the others (doesn't exist in LDAP ddbb).
>
> The main question is ¿why appears users 'postfix', 'root', 'paola',
> 'sendmail' or even 'devnull' in LDAP log if they doesn't exist in LDAP
> database? Obviosly, they appears because there're query under this
> UID/username.
>
> Maybe the commented lines do that the diferents users/daemons (like
> postfix, nobody or mailer-daemon) always look at group and passwd
> directives, which has files and ldap. So, they ask something in files
> (/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is,
> "I don't know, please ask for to the next source" and the query is passed
> to ldap resource.
nsswitch is probably checking LDAP for group memberships. You can see that
for the "oscar" user that is in LDAP, the posixAccount query is immediately
followed by a query looking up all groups that the user is a member of.
This lets you add local users to groups that exist only in LDAP, by creating
a shadow user in LDAP with the same name and adding it to groups.
If you're worried about overloading your ldap server with queries for
nonexistant users (which is unlikely), you can enable nscd which will cache
negative responses for 60 seconds (see the nscd and nscd.conf manpages).
--
Dan Nelson
dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090807143613.GB54485>