On Tuesday 13 March 2007 14:21, Gerhard Schmidt wrote: > On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote: > > On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote:
[setting group: files ldap in nsswitch.conf] > > It looks as though you can instruct nss_ldap to unconditionally return > > NSS_STATUS_NOTFOUND for a user, by adding > > > > nss_initgroups_ignoreusers user > > > > in nss_ldap.conf. > > It's not. added nss_initgroups_ignoreusers ldap but it still blockes for > 2 Min. I have found a solution that work for me. The problem is not that > nsswitch asks nss_ldap but that nss_ldap take so long to realise the > ldap isn't running. I have changed the bind_policy setting of nss_ldap from > hard to soft and nss_ldap fails without delay. So it's working for me > for now. > > But still there is a problem with that. Right now there is no way we could > prevent any source from adding users to any group (e.g wheel). I think > thats a security problem in envoriments where you don't have control over > all sources used for authentication und usermanagement. If there was a way > you could tell the nss to stop wenn a group definition is found in a module > we had a way to stop this. That shouldn't be the default way but it schould > be possible. Basically you're saying you want to take the first list of groups you find in the same way that you can take the first username you find: and with respect, you seem to be finding increasingly strident reasons why things should be the way you want them. You're still banging your head against the wall. It's easy to ``prevent any source from adding users to any group'': just don't give the whole world write access to your groups database - whether it's in the system files, NIS, LDAP, or on tablets of stone on a small hill in your server room. If you don't want to look up group information in LDAP, don't put ldap in the group line in nsswitch.conf. If you do, secure it properly and accept that it will always do an LDAP lookup, because group information is additive - unlike user information which has to be unique. Accept, too, that if you only have a single LDAP server, there will be a bootstrap problem reading the groups list for the ldap user to start up the LDAP server: but the only "cost" of this is an extra two minutes or so on each boot, which you seem to have solved in any case. Jonathan _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"