On Wed, Oct 5, 2016 at 7:08 PM, Xen <l...@xenhideout.nl> wrote: > Mantas Mikulėnas schreef op 05-10-2016 14:49: > >> On Wed, Oct 5, 2016 at 1:47 PM, Xen <l...@xenhideout.nl> wrote: >> >> Hi, >>> >>> the libnss-ldap package on my system used to contain (and still >>> contains) a script that is run on system reboot and shutdown and >>> installs itself into SysV directories for runlevel 0 and 6. >>> >> >> Do you mean libnss-ldapd? The standalone libnss-ldap has been >> deprecated for quite a while (in favor of nslcd-based thin modules). >> >> Also, what does this script do? >> > > Thanks for the hint. I had come across nslcd but it seemed more > complicated to get it running the first time, so I opted for the smaller > solution having only libnss-ldap. I was not actually aware (anymore) of > libnss-ldapd. > > I am sure it is a "better" solution I was just not sure I could get it > running in due time. > > I also don't know what could be the difference here (I am sure there could > be). > > The script does what I have mentioned in another email which is to exclude > certain users and groups from being LDAP-sourced by factual enumeration: > the script just lists all of the groups and user (I think) and puts them > into the configuration file. It is just a bit of an ugly workaround I guess > as to simply checking for user and group ID. > > The script probably just assumes that all user IDs and user groups start > above a certain UID/GID. > > What you would really need is an LDAP module that would not perform > lookups above a certain ID, but this also works, and is in a way more > flexible and powerful. > > Even with very low timeouts LDAP queries would not be okay for system > groups. > > There is just no way you can run a (Linux) system with system groups and > users in some LDAP database. >
If you mean "would not perform lookups _below_ a certain ID", then sure, that exists. In /etc/nslcd.conf you can specify "nss_min_uid 1000", for example, to avoid lookups for all system UIDs. -- Mantas Mikulėnas <graw...@gmail.com>
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
