LDAP queries for local users

authenticationldapnsswitch.confpam

Recently, in the company where I work, we have had a general system crash and we are figuring out the causes. Our machines are configured for LDAP authentication plus some local users in some of them. LDAP authentication works fine but we have found, from the log, that also for local users there are some LDAP queries and we think that this could be related to the crash.
I am working on this problem, changing nsswitch.conf, pam modules and so on, but I can't get rid of this LDAP call for local users.
Does anyone have any idea on how to stop LDAP queries for local users?

Thank you very much in advance.

In our machine is installed SuSE Linux 11 SP2 and OpenLDAP 2.4.
This is nsswitch.conf

passwd:         compat
group:          files ldap
hosts:          files dns
networks:       files dns

passwd_compat:  ldap
group_compat:   ldap

UPDATE

This is the log taken from the LDAP server after a login attempt on another machine from a user called guest which is local to that machine

Jul 29 11:00:45 vmtemplate slapd[2465]: conn=1627 op=1 SRCH base="dc=test,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=guest))"
Jul 29 11:00:45 vmtemplate slapd[2465]: conn=1627 op=2 SRCH base="dc=test,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=guest))"
Jul 29 11:00:47 vmtemplate slapd[2465]: conn=1008 op=407 SRCH base="dc=test,dc=com"

Best Answer

To put it simply, you can't, not without removing ldap from nsswitch.conf and defeating the point of the exercise.

Some calls want that data. An easy illustration of this is to run the following command, which will definitely trip whatever log filter your colleagues are wringing their hands watching: getent passwd

This will dump all users, both from the local system and LDAP. The important thing to understand about how dupe usernames/uids are handled is to visualize what would happen if those dupe entries were actually in /etc/passwd, in the order seen by getent passwd. This has never led to any crashes that I know of, otherwise every terrible software vendor who has ever added a second user with a uid of 0 to a system would have immediately brought the machine to its knees.

Related Solutions

Linux – LDAP Users Home Directories

Put

map passwd homeDirectory "/home/$uid"

to /etc/nslcd.conf (on Debian systems, on other systems it might be /etc/(ldap)/ldap.conf)

Ldap – PAM, nsswitch and LDAP configuration

Unless I'm misunderstanding your question you seem to be conflating two different things, which is probably leading to your confusion:

pam_list is an account authorization module - that is it lets you specify ways of determining if a user's account is "valid" on a given machine. Refer to the man page for pam_list for more information. You would use pam_list in a PAM configuration file in order to allow/deny specific users on specific hosts.
pam_list can be used with allow or deny files, and also has a "compat" option which makes it work the same way NIS traditionally does (+ and - lines in /etc/passwd).
You can refer to the man page for pam_list for more information here.

If you are using LDAP (pam_ldap or similar) there are "better" ways of doing the user authorization stuff - typically using LDAP groups or OUs to control access.
See the appropriate documentation for your LDAP PAM module for the specifics.

passwd_compat is a "pseudo-database" that appears in nsswitch.conf. If you're using LDAP you would usually list LDAP as part of the passwd and group databases, and your LDAP-nsswitch interfacing module (nss_ldap or similar) would handle doing the LDAP lookup bits. You could also set passwd_compat to point to nis or ldap as appropriate. Typically this results in something like:

 passwd: compat
 passwd_compat files ldap

The man page for nsswitch.conf is a good source of information about this. You may also find some insight in the O'Reilly book Managing NFS and NIS - about 10 years old (2nd Ed.) but still generally applicable.
I believe O'Reilly also has an LDAP book out but I'm not sure if it discusses anything about nsswitch or PAM...

Best Answer

Related Solutions

Linux – LDAP Users Home Directories

Ldap – PAM, nsswitch and LDAP configuration

Related Topic