mamalos
March 23rd, 2009, 16:31
Dear all,
I am facing a problem with /etc/nsswitch.conf and nss_ldap. From what I realized after some googling, I am not the first one to have this problem (of course), but I did not find any solution. The thing is the following:
My machine has some local users in /etc/passwd and some groups in /etc/group. I also have some users ("remote") in openldap and wish to accomplish the following: When a user is being looked up, if found in /etc/passwd and their group in /etc/group, the command should terminate and not proceed with ldap. If not found, the command should proceed with an ldap search. This behavior should be implemented by the following /etc/nsswitch.conf (regarding the relevant entries):
group: files ldap
passwd: files ldap
However, this is not the case. Whenever I lookup root, by issuing "id root" for example, and the ldap server is down, the lookup procedure takes 1min to complete (the default timeout), and responds with the root's id. The only way to accomplish the aforementioned behavior is by having the following in the nsswith.conf:
group: files [success=return notfound=return] ldap
passwd: files [success=return notfound=return] ldap
Of course, this accomplishes only the first half (once the user is found in the local db (/etc/passwd etc.) the command completes immediately). The second half is not accomplished; meaning that a user that does not exist in the local db is not being searched in ldap, and the command completes immediately again. This is the same as not having ldap at all in my nsswitch.conf.
Does anybody know why this happens? And if so, is there a way to avoid the delay?
Thanks all in advance
I am facing a problem with /etc/nsswitch.conf and nss_ldap. From what I realized after some googling, I am not the first one to have this problem (of course), but I did not find any solution. The thing is the following:
My machine has some local users in /etc/passwd and some groups in /etc/group. I also have some users ("remote") in openldap and wish to accomplish the following: When a user is being looked up, if found in /etc/passwd and their group in /etc/group, the command should terminate and not proceed with ldap. If not found, the command should proceed with an ldap search. This behavior should be implemented by the following /etc/nsswitch.conf (regarding the relevant entries):
group: files ldap
passwd: files ldap
However, this is not the case. Whenever I lookup root, by issuing "id root" for example, and the ldap server is down, the lookup procedure takes 1min to complete (the default timeout), and responds with the root's id. The only way to accomplish the aforementioned behavior is by having the following in the nsswith.conf:
group: files [success=return notfound=return] ldap
passwd: files [success=return notfound=return] ldap
Of course, this accomplishes only the first half (once the user is found in the local db (/etc/passwd etc.) the command completes immediately). The second half is not accomplished; meaning that a user that does not exist in the local db is not being searched in ldap, and the command completes immediately again. This is the same as not having ldap at all in my nsswitch.conf.
Does anybody know why this happens? And if so, is there a way to avoid the delay?
Thanks all in advance