Your nsswitch says to search ldap before anything local. I use "passwd: files ldap" (same for shadow & group). Thus, it never even tries ldap if it finds a local entry.
This has also come in handy for a few weird exceptions where the application absolutely had to do something weird and exceptional: I could override it on the local box. For example, two apps which absolutely had to use the same group name, with different memberships. Here, we have an enterprise oracle group with dozens of hosts for which their dba's are all members of a common group. We also have a couple of one off oracle hosts for non-enterprise groups who want the same names but different memberships. It's a bit of a pain to manage those specific host exceptions, but at least it's possible using 'files ldap'. -- Pat On 8/18/11 12:47 PM, Peter E. Abresch Jr. - at Pepco wrote: > I have the following set in /etc/ldap.conf > > bind_policy soft > nss_initgroups_ignoreusers > root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 > > However, these messages are overwhelming. I get them for udevd and vol_id. > These might be a startup timing issue as soon as the network is available, > they go away. However, the nss_initgroups_ignoreusers should ignore this. > Am I still missing something? > > /etc/nsswitch.conf contains: > > passwd: ldap compat > shadow: ldap compat > group: ldap compat > > > hosts: files dns > networks: files dns > > services: files > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files nis > publickey: files > > bootparams: files > automount: files nis > aliases: files > > > > From: Peter E Abresch/EP/PEP > To: LINUX-390@vm.marist.edu > Date: 08/18/2011 09:00 AM > Subject: udevd-349-: nss_ldap: failed to bind to LDAP server > ldap:// . . . > > > We finally have RACF LDAP server running on z/OS with the TDBM backend and > native authentication. We thought we were done as all our testing > completed successfully. However, when the operator booted Linux, the > console is flooded with the following messages on the shutdown and > startup. It is very difficult to catch a real error with these flood of > messages. Also, these messages are somewhat misleading as the LDAP server > is up and running and available. I am thinking that these messages are > produced as some service is shutdown and before some service starts. Here > is the challenge: How can we eliminate these messages during shutdowns and > boots? There are all coming from udevd. Thanks in advance. > > Peter > > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't > contact LDAP server > > > This Email message and any attachment may contain information that is > proprietary, legally privileged, confidential and/or subject to copyright > belonging to Pepco Holdings, Inc. or its affiliates ("PHI"). This Email is > intended solely for the use of the person(s) to which it is addressed. If > you are not an intended recipient, or the employee or agent responsible for > delivery of this Email to the intended recipient(s), you are hereby notified > that any dissemination, distribution or copying of this Email is strictly > prohibited. If you have received this message in error, please immediately > notify the sender and permanently delete this Email and any copies. PHI > policies expressly prohibit employees from making defamatory or offensive > statements and infringing any copyright or any other legal right by Email > communication. PHI will not accept any liability in respect of such > communications. > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
