[CentOS] Problems with nss_ldap - where to start?

Devin Reade gdr at gno.org
Thu Dec 17 18:55:04 UTC 2009

Steve Thompson <smt at vgersoft.com> wrote:

>> 	<https://bugzilla.redhat.com/show_bug.cgi?id=182464>
> I disagree that this is a bug. It's not a problem if you configure 
> ldap.conf properly. For example, using
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

That was identified fairly early on, and you'll notice the example
config I sent includes those users (and is in fact the default config
in CentOS 5.4).  It doesn't seem to always solve the problem. This problem
seems to be very sensitive to configs (some sites exhibit it, some don't)
and also sensitive to changes in boot sequence from release to release.
If it works for you, great.  It doesn't seem to be globally sufficient,
though.  It's been closed a few times but just keeps popping up.

Note this paragraph from <https://bugzilla.redhat.com/show_bug.cgi?id=182464#c10>
which, to the best of my knowledge, has not been addressed:

  I did some splunking with strace, followed by code inspection of libnss_ldap.
  It turns out that the information referenced by nss_initgroups_ignoreusers
  is only used _after_ the library attempts to connect to the ldap server.

However, that said, this is getting a bit off topic from the original
question, so I won't dwell on it any more.

One should forgive one's enemies,
but not before they are hanged.				- Heinrich Heine

More information about the CentOS mailing list