# nsswitch.conf problem and ldap



## mamalos (Mar 23, 2009)

Dear all,

I am facing a problem with /etc/nsswitch.conf and nss_ldap. From what I realized after some googling, I am not the first one to have this problem (of course), but I did not find any solution. The thing is the following:

My machine has some local users in /etc/passwd and some groups in /etc/group. I also have some users ("remote") in openldap and wish to accomplish the following: When a user is being looked up, if found in /etc/passwd and their group in /etc/group, the command should terminate and not proceed with ldap. If not found, the command should proceed with an ldap search. This behavior should be implemented by the following /etc/nsswitch.conf (regarding the relevant entries):

group: files ldap
passwd: files ldap

However, this is not the case. Whenever I lookup root, by issuing "id root" for example, and the ldap server is down, the lookup procedure takes 1min to complete (the default timeout), and responds with the root's id. The only way to accomplish the aforementioned behavior is by having the following in the nsswith.conf:

group: files [success=return notfound=return] ldap
passwd: files [success=return notfound=return] ldap

Of course, this accomplishes only the first half (once the user is found in the local db (/etc/passwd etc.) the command completes immediately). The second half is not accomplished; meaning that a user that does not exist in the local db is not being searched in ldap, and the command completes immediately again. This is the same as not having ldap at all in my nsswitch.conf.

Does anybody know why this happens? And if so, is there a way to avoid the delay?

Thanks all in advance


----------



## Mel_Flynn (Mar 23, 2009)

how about success=return notfound=continue?

Got this from reading nsswitch.conf(5), not actually tried it.


----------



## mamalos (Mar 23, 2009)

Mel_Flynn said:
			
		

> how about success=return notfound=continue?
> 
> Got this from reading nsswitch.conf(5), not actually tried it.



Thanks Flynn,

this is the default, and does not work unfortunately. In the meantime I found some threads on other forums regarding my issue, tested on debian systems, and people are suggesting to place all local users in the nss_initgroups_ignoreusers directive of /usr/local/etc/nss_ldap.conf, which is supposed to do exactly what I wish: all users of this directive are ignored by the ldap search, since for some reason the nss_ldap version of initgroups(3) keeps on looking for ldap groups when performing a lookup, no matter what /etc/nsswitch.conf tells it to (if ldap is placed in nsswitch.conf that is).

Even though this approach seemed very promising, it didn't work for me, and I am still searching for an answer...

Thanks anyways!


----------



## crsd (Mar 23, 2009)

Try setting *bind_policy* to *soft* in nss_ldap.conf as a workaround.


----------



## mamalos (Mar 24, 2009)

Tried it along with nss_initgroups_ignoreusers, and forgot to mention it. Unfortunately, it doesn't work either!


----------



## rreboto (Sep 5, 2019)

mamalos said:


> this is the default, and does not work unfortunately. In the meantime I found some threads on other forums regarding my issue, tested on debian systems, and people are suggesting to place all local users in the nss_initgroups_ignoreusers directive of /usr/local/etc/nss_ldap.conf, which is supposed to do exactly what I wish: all users of this directive are ignored by the ldap search, since for some reason the nss_ldap version of initgroups(3) keeps on looking for ldap groups when performing a lookup, no matter what /etc/nsswitch.conf tells it to (if ldap is placed in nsswitch.conf that is).



Fast forward 10 years and `nss_initgroups_ignoreusers` works!

Unfortunately, setting the following in `/etc/nsswitch.conf` still does not work:


```
group: files [success=return notfound=continue] ldap
passwd: files [success=return notfound=continue] ldap
```


----------



## Chi Min Wang (Sep 6, 2019)

rreboto said:


> Fast forward 10 years and `nss_initgroups_ignoreusers` works!
> 
> Unfortunately, setting the following in `/etc/nsswitch.conf` still does not work:
> 
> ...



1:It will not work by assign "files" in nsswitch.conf for group and passwd. It works only  by assign "nis" (although the "files" seems work,the fact is FreeBSD will use ldap first,then fall back to implied local account "nis",which will contribute unnecessary loading to ldap server,and cause unacceptable delay when ldap server isn't responding). And I am very curious why FreeBSD use "nis" instead of "files",since this will cause lots of confusing(local account didn't have any relationship to "NIS",and there is no "NIS" server in most case).

2:Even I assign nis [notfound=continue] for group and passwd. It's still not working(according to all document I had ever studied,the default action for notfound in nsswitch.conf is continue,so there should be no difference whether assign [notfound=continue] or not). I had to add wildcard entry in master.passwd and groups to let FreeBSD to use ldap for non-local user.


----------

