[CentOS] nsswitch.conf, ldap, local groups problem

[Stephen Harris]

On Wed, Aug 27, 2008 at 05:07:26PM -0400, Mark Hennessy wrote:
> With networking, no trouble at all, but with those timeouts of 30  
> seconds and without those changes to nsswitch.conf, it takes a while  
> for the first root login to succeed even though it is using local auth.

If you have ldap groups and the ldap server isn't reachable then logins
_can_ take a long time (depending on why the ldap server isn't reachable;
if a "telnet ldapserver ldap" returns immediately then it shouldn't) because
a login has to go through _every_ group to determine if you're in the
group or not.

It doesn't do a "getent group blah" it does the equivalent of
  while (getgrent())
  {
  }
which means it tries to parse the whole local _and_ ldap group entries.

It needs to do this to get your secondary group list.

Even root would need to do this.

-- 

rgds
Stephen