In my current LDAP set-up "getent passwd" shows all 600+ users that exist in the LDAP, not enumerating only the 20 LDAP-users that have permission to access this netgroup/server.
This can be solved by compat mode to filter the users:
nsswitch.conf
passwd: files compat
passwd_compat: ldap
in passwd file, add +@netgroup.
I wonder, what are the disadvantages of using this nsswitch compat mode?
Best Answer
A lot of stuff will assume you are using NIS (bad for several reasons) which is what compat really means (that you can use NIS syntax like +@netgroup etc). I assume you are not actually using YP on these boxes but creating the relevant files manually (or with puppet or whatever). In that case I don't see a major drawback, just a little extra config and you'll need to keep an eye on compadability (no pun intended). You may get the same results by setting up a filter in your ldap.conf which should be more forward compatible.