Bug ID: 226119
           Summary: Feature request: Add ldap data source for the NSS
                    netgroup database
           Product: Base System
           Version: 11.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin

The nsswitch.conf man page describes the sources that are currently implemented
for NSS which exclude LDAP. An LDAP data source will enable FreeBSD clients to
more easily integrate with central user/account management frameworks like
FreeIPA & sssd.

As an illustration of problems that would be mitigated with the implementation
of an ldap data source consider that a centralized user accounting and
management system, particularly FreeIPA, sudo queries the data source (sss)
returning netgroups which sudo responds to by subsequently calling innetgr().
When called, innetgr() loads and iterates over /etc/netgroup looking for
matching entries. As netgroup grows in size, so does the amount of time
required to iterate it. For example, my tests using a ~1.5MB file consisting of
~31,000 entries took 30 seconds to return a password prompt as it traversed
netgroup to insure the invoking user was permitted to.

The following references describe FreeBSD deployment within a FreeIPA/sssd
framework and illustrate that multiple users are deploying FreeBSD in such a

You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to