0

Recently, in the company where I work, we have had a general system crash and we are figuring out the causes. Our machines are configured for LDAP authentication plus some local users in some of them. LDAP authentication works fine but we have found, from the log, that also for local users there are some LDAP queries and we think that this could be related to the crash. I am working on this problem, changing nsswitch.conf, pam modules and so on, but I can't get rid of this LDAP call for local users. Does anyone have any idea on how to stop LDAP queries for local users?

Thank you very much in advance.

In our machine is installed SuSE Linux 11 SP2 and OpenLDAP 2.4. This is nsswitch.conf

passwd:         compat
group:          files ldap
hosts:          files dns
networks:       files dns

passwd_compat:  ldap
group_compat:   ldap

UPDATE

This is the log taken from the LDAP server after a login attempt on another machine from a user called guest which is local to that machine

Jul 29 11:00:45 vmtemplate slapd[2465]: conn=1627 op=1 SRCH base="dc=test,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=guest))"
Jul 29 11:00:45 vmtemplate slapd[2465]: conn=1627 op=2 SRCH base="dc=test,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=guest))"
Jul 29 11:00:47 vmtemplate slapd[2465]: conn=1008 op=407 SRCH base="dc=test,dc=com"
ColOfAbRiX
  • 1,080
  • 2
  • 12
  • 23
  • What are the error messages from the time of the crash? Without logs we may be going on a wild goose chase. – Deer Hunter Jul 25 '13 at 16:57
  • 1
    ...and can you give us details on what you mean by "LDAP calls for local users" and why you think this is associated with the crash? In an environment where you're using multiple directory services (files and LDAP, in this case), that's not unexpected behavior. – larsks Jul 25 '13 at 17:42
  • Right now I don't have any logs, I will post them on monday. I am not an expert of LDAP so I am doing my best: there is only one LDAP server in the environment and with "LDAP calls" I mean that the client machines access query the LDAP server with the name of the local user in the filter. Personally I think this is not associated with the crash but my colleagues think it's because of conflicting UIDs. Anyway, thank you very much. – ColOfAbRiX Jul 25 '13 at 21:52

1 Answers1

0

To put it simply, you can't, not without removing ldap from nsswitch.conf and defeating the point of the exercise.

Some calls want that data. An easy illustration of this is to run the following command, which will definitely trip whatever log filter your colleagues are wringing their hands watching: getent passwd

This will dump all users, both from the local system and LDAP. The important thing to understand about how dupe usernames/uids are handled is to visualize what would happen if those dupe entries were actually in /etc/passwd, in the order seen by getent passwd. This has never led to any crashes that I know of, otherwise every terrible software vendor who has ever added a second user with a uid of 0 to a system would have immediately brought the machine to its knees.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • This is a good explanation, thank you, I was experimenting with many different options before I arrived at the same fact. But my older colleagues prefer to avoid these queries so now I am trying with the option `nss_initgroups_ignoreusers` which seems to stop this behaviour. – ColOfAbRiX Jul 29 '13 at 11:15
  • @Fabrizio No problem. Please upvote answers if you find them helpful, and if you end up coming up with a solution on your own, post that answer and "accept" it once the system lets you. – Andrew B Jul 30 '13 at 19:25