Configure ldap client to not search local system accounts in ldap server

Question

We've an ldap server and clients configured to authenticate users against it. Everything is working fine apart that I saw in the ldap server logs that says that the clients also contact the ldap server to authenticate users as root, apache etc, how to disable that ?

Thanks

Which method are you using for your LDAP lookups? `sssd`, `nslcd`...? — Thomas, Mar 27 '17 at 16:34
I'm using nslcd. I found the nss_initgroups_ignoreusers parameter and added it to /etc/pam_ldap.conf and /etc/openldap/ldap.conf (for root, apache, postfix etc) and restarted nslcd, It works for the ubuntu clients but is completely ignored by the centos ones (Centos6). — keegita gina, Mar 28 '17 at 13:54

score 1 · Accepted Answer · answered Apr 03 '17 at 13:20

1

For posterity, finally resolved the problem with Centos clients by adding the parameter nss_initgroups_ignoreusers in /etc/nslcd.conf, not in /etc/pam_ldap.conf nor in /etc/openldap/ldap.conf. Not sure why but that was the only case that worked.

answered Apr 03 '17 at 13:20

keegita gina

11
4

Configure ldap client to not search local system accounts in ldap server

1 Answers1