Date: Tue, 13 Mar 2007 10:01:09 +0200 From: Jonathan McKeown <jonathan@hst.org.za> To: freebsd-questions@freebsd.org Cc: Gerhard Schmidt <estartu@augusta.de>, Pietro Cerutti <pietro.cerutti@gmail.com> Subject: Re: nss_ldap and openldap on the same server. Message-ID: <200703131001.10355.jonathan@hst.org.za> In-Reply-To: <20070313071641.GA18856@augusta.de> References: <20070312141915.GA1842@augusta.de> <e572718c0703121607n57d1c28co915638069262042a@mail.gmail.com> <20070313071641.GA18856@augusta.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > On 3/12/07, Gerhard Schmidt <estartu@augusta.de> wrote: > > >Hi, > > > > Hello, > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > the answer. Is there a way to change this. > > > > man nsswitch.conf(5) > > Look for Status codes and Actions > > Doesn't work. Tried the follwing nsswitch.conf > group: files [success=return] ldap > hosts: files dns > networks: files > passwd: files [success=return] ldap > shells: files > > This doesn't change the delay. And the nss_ldap timeout is still reported. > This is not supprising because the manpage states [success=return] is > default. > > Seams there is a bug somewhere. It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers It takes a comma-separated list of users for whom the nss_ldap initgroups routine should immediately return NSS_STATUS_NOTFOUND. If you keep group information for all the system users in /etc/group only, and add them all to this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't tested this). Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703131001.10355.jonathan>