We have a working LDAP set up. However we hit a problem recently due to some user names and group names existing both in the local files and in LDAP. Specifically the apache user and group existed both in:
/etc/passwdand/etc/group- LDAP as both user and group
After a recent yum update (CentOS 5), it appeared that the group ID of the process had changed from the value in /etc/group to the value in LDAP (while the user ID remained the ID from /etc/passwd). As some of the files needed by httpd were owned by user root, with group apache (from /etc/group) but not world readable, this caused problems.
Note that we already have nss_initgroups_ignoreusers apache,... in both /etc/ldap.conf and /etc/openldap/ldap.conf. Also, in /etc/nsswitch.conf we have
passwd: files ldap
group: files ldap
shadow: files ldap
and the rest of the normal bits and bobs.
So if a name exists in both LDAP and the local files, is there a way to ensure that the ID from the local files will take precedence over the ID in LDAP?
Best Answer
I don't know if it's a typo in your example but the group database is called
groupand notgroups.You should be able to force the search to stop after a successful lookup e.g.
The above should be the deafult action anyway so you should confirm that what you are looking for really is in the
files.