From owner-freebsd-bugs@FreeBSD.ORG  Tue Mar 13 08:20:15 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 740D016A406
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 13 Mar 2007 08:20:15 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 44AB713C4B8
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 13 Mar 2007 08:20:15 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2D8KFn2059669
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 13 Mar 2007 08:20:15 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2D8KFu0059668;
	Tue, 13 Mar 2007 08:20:15 GMT (envelope-from gnats)
Resent-Date: Tue, 13 Mar 2007 08:20:15 GMT
Resent-Message-Id: <200703130820.l2D8KFu0059668@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Gerhard Schmidt <estartu@augusta.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 81AA116A411
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 13 Mar 2007 08:13:15 +0000 (UTC)
	(envelope-from estartu@phobos.ze.tum.de)
Received: from phobos.ze.tum.de (phobos.ze.tum.de [129.187.39.55])
	by mx1.freebsd.org (Postfix) with ESMTP id 272CD13C45B
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 13 Mar 2007 08:13:14 +0000 (UTC)
	(envelope-from estartu@phobos.ze.tum.de)
Received: from phobos.ze.tum.de (localhost [127.0.0.1])
	by phobos.ze.tum.de (8.13.8/8.13.8) with ESMTP id l2D7g0Cd000924
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 13 Mar 2007 08:42:00 +0100 (CET)
	(envelope-from estartu@phobos.ze.tum.de)
Received: (from estartu@localhost)
	by phobos.ze.tum.de (8.13.8/8.13.8/Submit) id l2D7g0PW000923;
	Tue, 13 Mar 2007 08:42:00 +0100 (CET) (envelope-from estartu)
Message-Id: <200703130742.l2D7g0PW000923@phobos.ze.tum.de>
Date: Tue, 13 Mar 2007 08:42:00 +0100 (CET)
From: Gerhard Schmidt <estartu@augusta.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: misc/110252: success=return aktion doesn't work in
	/etc/nsswitch.conf
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2007 08:20:15 -0000


>Number:         110252
>Category:       misc
>Synopsis:       success=return aktion doesn't work in /etc/nsswitch.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 13 08:20:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Gerhard Schmidt
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
Augsburger Computer Forum e.V.	
>Environment:
System: FreeBSD phobos.ze.tum.de 6.2-STABLE FreeBSD 6.2-STABLE #2: Thu Mar 8 15:21:55 CET 2007 root@phobos.ze.tum.de:/usr/src/sys/i386/compile/PHOBOS i386

	
>Description:
I have a FreeBSD Server that run a OpenLDAP server which holds the Userinfos for some FreeBSD systems
including himself. The user ldap is in /etc/passwd and the group ldap is in /etc/group. 
/etc/nsswitch.conf looks the following 
group: files [success=return] ldap 
hosts: files dns
networks: files
passwd: files [success=return] ldap
shells: files

When the system boots the bootup blocks for 2-3 Minutes when starting OpenLDAP. The Log states 
the following. 
Mar 13 08:13:13 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable

As I understand the success=return statement, ldap should never be asked when a user or group is 
in the files. But it sill is. An when the system is up an running the ldap server is queried for 
every user in the files. This is a security issue too. Every user search is send to all sources in 
nsswitch.conf. 

>How-To-Repeat:
Do the setup described and do a finger on a user in /etc/passwd you will see a query to 
the ldapserver. 
>Fix:
n/k
	


>Release-Note:
>Audit-Trail:
>Unformatted: