Mike Lovell wrote:
I am trying to get an LDAP working for an environment that I have.
Currently, the LDAP is working an I can authenticate the LDAP and
everything is working fine. The one complaint I have is that one user
or group lookup where the local account information is sufficient,
there is still an query going again LDAP. Does anyone know if it is
possible to configure things so that if there is a result found in
/etc/passwd and /etc/group to then not do a query against the LDAP? I
am wanting to deploy this in an environment that is doing a ton of
file operations as a particular user that is already on the local
machines and I don't want queries hitting the LDAP all of the time and
killing it. I know nscd will cache the info but I am wanting to not
hit the LDAP for that user at all. Here is what I have in my
nsswitch.conf.
The nsswitch.conf looks fine. I'd look into the ordering of the pam
stack. Check for references to pam_ldap.so in the
/etc/pam.d/system-auth or service-specific configuration, and make sure
that the ordering there only goes to ldap if it's not found locally.
For example:
|auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so|
and
|account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so|
Frank
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
