nsswitch and ldap for group

D

dksayers

FreeBSD 13.1 using a default /etc/nsswitch.conf except for
Code: 
passwd: files ldap
Lookups work as expects with entries in /etc/passwd not triggering an LDAP search and missing entries do. Now if I add LDAP into group:
Code: 
group: files ldap
I get 2 x LDAP lookups for every request with the following filters:
Code: 
filter="(&(objectClass=posixAccount)(uid=root))"
attr=uid uidNumber

"(&(objectClass=posixGroup)(memberUid=root))"
attr=cn gidNumber
/etc/[passwd|group] are set up correctly with local users (like root) so why is ldap being interrogated.
 
May be, I don't understand your question/message, but it's normal.
First query is for if user existent. Second - obtain groups, which user belongs. Both of queries are independent.
 
Yes the 2 queries are valid except the fact that nsswitch is configured to look in files before asking LDAP. All the information that is required is in /etc/group (and /etc/passwd) for the given user and therefore NO LDAP requests should be made at all. 'getent passwd root' and 'getent group wheel' work as expected with no LDAP requests.

The reason this is a problem is that we have around 70 machines and at the top of the hour all these machines do a newsyslog check. Each machine will ask for the same information for multiple accounts/groups (root,operator etc) for a multitude of log files. This results in nearly 1000 LDAP requests all happening at the same time but these requests should be using the information from the local files.
Adding cache to the nsswitch after files still causes all the LDAP requests, so that doesnt help. Adding jitter options to cron helps but does not resolve the actual problem.
 
dksayers said:
"(&(objectClass=posixGroup)(memberUid=root))" attr=cn gidNumber
Click to expand...
I am reading this as "give me all groups that 'root' is member of", so it doesn't matter if there's local db, it wants all of them from all sources!

Which daemon exactly is triggering this?
 
As suggested above, I believe the culprit is newsyslog run from cron.
My problem is that the command:

Code: 
getent group wheel

does NOT ask LDAP for anymore info as it already got a match from files so why does newsyslog ask LDAP. I have also tried modifying /etc/nsswitch to:

Code: 
group: files [success=return notfound=continue] ldap

without any success, but I think this is the default actions anyway. Note that all the passwd db stuff works as expected through nsswitch with only LDAP requests performed if nothing found in files.
 

dksayers,​

You wrote in first message only that, that you have 2 LDAP queries, so, it meaning, that you don't have search content (user/group) in "files". Then you wrote, that no queries to LDAP, so, now you have such records.
May be, I don't understand you, but you should show, if such records exists in "files". For example, with grep command. But, you should remember that FreeBSD uses a /etc/pwd.db (Berkeley DB) for users (not groups). So, if you modify manually a passwd (/etc/paswwd or /etc/master.passwd) without modify a /etc/pwd.db then you will receive an incorrect data.
 
dksayers said:
does NOT ask LDAP for anymore info as it already got a match from files so why does newsyslog ask LDAP.
Click to expand...
getent group wheel is just "what is group wheel", so there is nothing to ask ldap about if it's found in files.

The query going to ldap is completely different, it is NOT "what is group wheel", it is "what are all the groups user root is in", so it's looking for ALL supplemental groups for user root in ALL sources.
 
Since "success=return" is the default behaviour (is it?), I wouldn't expect an additional group lookup using LDAP.
But since I'm lazy as hell, I wouldn't start a research project, but use (caching) sssd instead of going directly against LDAP, and configure sssd to ignore local root users and groups.
 
You must log in or register to reply here.
Back
Top