From owner-freebsd-stable@FreeBSD.ORG Fri Aug 7 14:46:21 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84647106564A for ; Fri, 7 Aug 2009 14:46:21 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id 4A0FF8FC0A for ; Fri, 7 Aug 2009 14:46:21 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email2.allantgroup.com (8.14.0/8.14.0) with ESMTP id n77EaDI0007451 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 7 Aug 2009 09:36:14 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id n77EaDvm066717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 7 Aug 2009 09:36:13 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.3/Submit) id n77EaDMc066716; Fri, 7 Aug 2009 09:36:13 -0500 (CDT) (envelope-from dan) Date: Fri, 7 Aug 2009 09:36:13 -0500 From: Dan Nelson To: Jordi Espasa Clofent Message-ID: <20090807143613.GB54485@dan.emsphone.com> References: <4A7C1FB5.3000908@minibofh.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4A7C1FB5.3000908@minibofh.org> X-OS: FreeBSD 7.2-STABLE User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email2.allantgroup.com [199.67.51.78]); Fri, 07 Aug 2009 09:36:14 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Cc: freebsd-stable@freebsd.org Subject: Re: nsswitch.conf bad configuration? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Aug 2009 14:46:21 -0000 In the last episode (Aug 07), Jordi Espasa Clofent said: > Hi all, > > I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized > LDAP account server. All works fine, but I can see in LDAP logs: > > # cat /var/log/syslog | grep uid= | awk '{print $12}' [...] > filter="(&(objectClass=posixAccount)(uid=root))" > filter="(&(objectClass=posixAccount)(uid=oscar))" > filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))" > filter="(&(objectClass=posixAccount)(uid=root))" > filter="(&(objectClass=posixAccount)(uid=root))" > > You can see the difference between user 'oscar? (exists in LDAP ddbb) and > the others (doesn't exist in LDAP ddbb). > > The main question is ¿why appears users 'postfix', 'root', 'paola', > 'sendmail' or even 'devnull' in LDAP log if they doesn't exist in LDAP > database? Obviosly, they appears because there're query under this > UID/username. > > Maybe the commented lines do that the diferents users/daemons (like > postfix, nobody or mailer-daemon) always look at group and passwd > directives, which has files and ldap. So, they ask something in files > (/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is, > "I don't know, please ask for to the next source" and the query is passed > to ldap resource. nsswitch is probably checking LDAP for group memberships. You can see that for the "oscar" user that is in LDAP, the posixAccount query is immediately followed by a query looking up all groups that the user is a member of. This lets you add local users to groups that exist only in LDAP, by creating a shadow user in LDAP with the same name and adding it to groups. If you're worried about overloading your ldap server with queries for nonexistant users (which is unlikely), you can enable nscd which will cache negative responses for 60 seconds (see the nscd and nscd.conf manpages). -- Dan Nelson dnelson@allantgroup.com