Hi all,
We are using LDAP to authenticate the users, that need access to a
particular server.
But now, we ran into a problem, where we thought, that we've covered
that with the following option in /etc/ldap.conf
- nss_initgroups_ignoreusers
The problem is, that when a server looses network connectvity we fail to
login on the console, using the authorized root account.
After massive debugging, we'ev figured out, that even root tries to
reach-out to the LDAP server, even in case the ldap server isn't
avilable (for what ever reason)
Our previous /etc/ldap.conf did look as follow (please have a look at
the nss_initgroups_ignoreusers parameter)
#
# /etc/ldap.conf
base dc=example,dc=com
uri ldap://ldap1.example.com,ldap://ldap2.example.com
ldap_version 3
binddn uid=proxyusr,dc=example,dc=com
bindpw *******
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
bind_policy soft
nss_base_passwd ou=People,dc=example,dc=com?sub
nss_base_shadow ou=People,dc= example,dc=com?sub
nss_base_group ou=Groups,dc= example,dc=com?sub
nss_base_netgroup ou=Netgroup,dc=example,dc=com?sub
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,n
scd,gdm
pam_filter objectclass=posixaccount
pam_login_attribute uid
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
debug 0
logdir /var/log/ldap
After some debugging, we have figured out that the system tries to
reach-out to the ldap even for root (which is listed in
nss_initgroups_ignoreusers) - which caused a conenction timeout and
therefore a login timeout
Then we changed the nss_initgroups_ignoreusers as follow:
#
# /etc/ldap.conf
- nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,n
scd,gdm
+ nss_initgroups_ignoreusers root,sshd
Which made things work as expected.
The question we now would like to ask: Is there any limitation of the
nss_initgroups_ignoreusers field/option (since it seems to work with
only two users in the list)
Or does someone see any misconfiguration in our configuration?
Just as a short not, for /etc/passwd and /etc/shadow we use compat mode
for authentication and for /etc/group, we use files ldap mode.
Any help/hint is much appreciated as we couldn't find anything related
in the code nor in the documentation.
Thanks and all the best,
Simon
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
