This workaround is only relevant if you use nss with ldap. It prevents
group lookups for the users that are provided with
nss_initgroups_ignoreusers. The list excludes users for group lookups in
LDAP, not the other way around. I think the bug is relevant to
libnss_ldap, because my system boots ok with this fix.
Sebastiaan
Bill MacAllister wrote:
> Is there any reason that this shouldn't be used on any system that
> uses libnss_ldap? Indeed, it seems that it would make sense to just
> include all the groups in the /etc/group file in this list. Am I
> missing something?
>
> Bill
>
> --On Wednesday, February 13, 2008 06:20:35 PM +0000 Sebastiaan
> Veldhuisen <email address hidden> wrote:
>
>> a workaround (working in my setup) to stop calling ldap for local system
>> users and groups:
>>
>> add this line to /etc/ldap.conf (adapt it to your setup):
>>
>> nss_initgroups_ignoreusers
>> root,root.slocate,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,w
>>
>> ww-data,backup,list,irc,gnats,nobody,dhcp,syslog,klog,avah
>> i-autoipd,messagebus,avahi,cupsys,haldaemon,hplip,statd,ntp,sshd,beaglein
>>
>> dex,clamav
>>
>> with a bind policy soft.
>>
>> Hope this helps
>>
>> Sebastiaan
>
>
>
>
> +---------------------------------------------------------------------
> | Bill MacAllister <email address hidden>
> | Systems Programmer, ITS Unix Systems, Stanford University
>
This workaround is only relevant if you use nss with ldap. It prevents ignoreusers. The list excludes users for group lookups in
group lookups for the users that are provided with
nss_initgroups_
LDAP, not the other way around. I think the bug is relevant to
libnss_ldap, because my system boots ok with this fix.
Sebastiaan
Bill MacAllister wrote: ignoreusers slocate, daemon, bin,sys, sync,games, man,lp, mail,news, uucp,proxy, w backup, list,irc, gnats,nobody, dhcp,syslog, klog,avah messagebus, avahi,cupsys, haldaemon, hplip,statd, ntp,sshd, beaglein ------- ------- ------- ------- ------- ------- ------- ------- -------
> Is there any reason that this shouldn't be used on any system that
> uses libnss_ldap? Indeed, it seems that it would make sense to just
> include all the groups in the /etc/group file in this list. Am I
> missing something?
>
> Bill
>
> --On Wednesday, February 13, 2008 06:20:35 PM +0000 Sebastiaan
> Veldhuisen <email address hidden> wrote:
>
>> a workaround (working in my setup) to stop calling ldap for local system
>> users and groups:
>>
>> add this line to /etc/ldap.conf (adapt it to your setup):
>>
>> nss_initgroups_
>> root,root.
>>
>> ww-data,
>> i-autoipd,
>>
>> dex,clamav
>>
>> with a bind policy soft.
>>
>> Hope this helps
>>
>> Sebastiaan
>
>
>
>
> +------
> | Bill MacAllister <email address hidden>
> | Systems Programmer, ITS Unix Systems, Stanford University
>