[CentOS] nsswitch.conf, ldap, local groups problem
Stephen Harris
lists at spuddy.org
Wed Aug 27 22:19:47 UTC 2008
On Wed, Aug 27, 2008 at 05:07:26PM -0400, Mark Hennessy wrote:
> With networking, no trouble at all, but with those timeouts of 30
> seconds and without those changes to nsswitch.conf, it takes a while
> for the first root login to succeed even though it is using local auth.
If you have ldap groups and the ldap server isn't reachable then logins
_can_ take a long time (depending on why the ldap server isn't reachable;
if a "telnet ldapserver ldap" returns immediately then it shouldn't) because
a login has to go through _every_ group to determine if you're in the
group or not.
It doesn't do a "getent group blah" it does the equivalent of
while (getgrent())
{
}
which means it tries to parse the whole local _and_ ldap group entries.
It needs to do this to get your secondary group list.
Even root would need to do this.
--
rgds
Stephen
More information about the CentOS
mailing list