Re: nsswitch.conf with nss_ldap

[Matthias Pfaller <leo%marco.de@localhost>]

Dima Veselov wrote:
> On Fri, Feb 19, 2010 at 09:36:59PM +0100, Matthias Pfaller wrote:
>
>   
> > > > I have met a problem, concerning nss_ldap usage - OpenLDAP slapd is running
> > > > in unpriveledged mode, so at start it try to resolve '-u slapd' and catch
> > > > itself - nss_ldap is trying to resolve, but slapd isn't yet ready. If nss_ldap
> > > > is turned in hard mode - this situation cause server to stall forever.
> > > > Having user slapd in /etc/passwd, I tried to use nsswitch.conf entry as follows:
> > > >
> > > > passwd: files [success=return] ldap
> > > >
> > > > But it really doesn't work. What usually people do to start it easily on files 
> > > > and continue on ldap?
> > > >
> > > >         
> > > In general you can't use nss_ldap on the ldap server itself.
> > >
> > >       
> > You can. But you have to add
> >
> >        group:          files [success=return] ldap
> >        passwd:         files [success=return] ldap
> >
> > to your /etc/nsswitch.conf and you must add
> >
> >        nss_initgroups_ignoreusers slapd,root
> >
> > to your /etc/openldap/ldap.conf (/usr/pkg/etc/nss_ldap.conf,  
> > /usr/pkg/etc/pam_ldap.conf).
> >     
>
> Thanks for solution, but why adding [success=return] if adding ignoreusers? 
> Just curious.
>   

The [success=return] is almost enough, but initgroups(3) will still fail 
because it needs to scan the complete group database for groups with 
[slapd,root] as members. The nss_initgroups_inoreusers prevents this scan.

Regards, Matthias