Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 14:21, Gerhard Schmidt wrote: > On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote: > > On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: [setting group: files ldap in nsswitch.conf] > > It looks as though you can instruct nss_ldap to unconditionally return > > NSS_STATUS_NOTFOUND for a user, by adding > > > > nss_initgroups_ignoreusers user > > > > in nss_ldap.conf. > > It's not. added nss_initgroups_ignoreusers ldap but it still blockes for > 2 Min. I have found a solution that work for me. The problem is not that > nsswitch asks nss_ldap but that nss_ldap take so long to realise the > ldap isn't running. I have changed the bind_policy setting of nss_ldap from > hard to soft and nss_ldap fails without delay. So it's working for me > for now. > > But still there is a problem with that. Right now there is no way we could > prevent any source from adding users to any group (e.g wheel). I think > thats a security problem in envoriments where you don't have control over > all sources used for authentication und usermanagement. If there was a way > you could tell the nss to stop wenn a group definition is found in a module > we had a way to stop this. That shouldn't be the default way but it schould > be possible. Basically you're saying you want to take the first list of groups you find in the same way that you can take the first username you find: and with respect, you seem to be finding increasingly strident reasons why things should be the way you want them. You're still banging your head against the wall. It's easy to ``prevent any source from adding users to any group'': just don't give the whole world write access to your groups database - whether it's in the system files, NIS, LDAP, or on tablets of stone on a small hill in your server room. If you don't want to look up group information in LDAP, don't put ldap in the group line in nsswitch.conf. If you do, secure it properly and accept that it will always do an LDAP lookup, because group information is additive - unlike user information which has to be unique. Accept, too, that if you only have a single LDAP server, there will be a bootstrap problem reading the groups list for the ldap user to start up the LDAP server: but the only "cost" of this is an extra two minutes or so on each boot, which you seem to have solved in any case. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote: > On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: > > > > It's a well-known problem rather than a bug, and it arises when looking > > > up group information for a user. The system needs a list of all the > > > groups the user is a member of. Since it's a list, not a single answer, > > > you can't short-circuit the process with ``success'' after finding a > > > single result: initgroups(3) must work through all possible sources of > > > group information to build the list. > > > > I think its still a bug. You are right that all groups should be found so > > the default for groups should be success=continue to have this done. But > > when I explicily specify that on success the process should abort, it > > should be done exacly this way. > > You've now had responses from me and Joerg Pulz, and given us essentially the > same reply. I'm not sure success means what you think it means: group > information is a complete list, not ``first item found'' like a user account. > > You have told the system to check for group information in files and ldap. > You > have, therefore, not succeeded in listing all groups until you have both > searched the files *and* received a response from nss_ldap, either group > information or NSS_STATUS_NOTFOUND. > > It looks as though you can instruct nss_ldap to unconditionally return > NSS_STATUS_NOTFOUND for a user, by adding > > nss_initgroups_ignoreusers user > > in nss_ldap.conf. I'd be interested to hear whether it works, having not > tested it myself, but at the moment you're banging your head against the wall > and shouting about how much it hurts. It will hurt less if you stop. It's not. added nss_initgroups_ignoreusers ldap but it still blockes for 2 Min. I have found a solution that work for me. The problem is not that nsswitch asks nss_ldap but that nss_ldap take so long to realise the ldap isn't running. I have changed the bind_policy setting of nss_ldap from hard to soft and nss_ldap fails without delay. So it's working for me for now. But still there is a problem with that. Right now there is no way we could prevent any source from adding users to any group (e.g wheel). I think thats a security problem in envoriments where you don't have control over all sources used for authentication und usermanagement. If there was a way you could tell the nss to stop wenn a group definition is found in a module we had a way to stop this. That shouldn't be the default way but it schould be possible. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgp9i8MG1LO1C.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: > > It's a well-known problem rather than a bug, and it arises when looking > > up group information for a user. The system needs a list of all the > > groups the user is a member of. Since it's a list, not a single answer, > > you can't short-circuit the process with ``success'' after finding a > > single result: initgroups(3) must work through all possible sources of > > group information to build the list. > > I think its still a bug. You are right that all groups should be found so > the default for groups should be success=continue to have this done. But > when I explicily specify that on success the process should abort, it > should be done exacly this way. You've now had responses from me and Joerg Pulz, and given us essentially the same reply. I'm not sure success means what you think it means: group information is a complete list, not ``first item found'' like a user account. You have told the system to check for group information in files and ldap. You have, therefore, not succeeded in listing all groups until you have both searched the files *and* received a response from nss_ldap, either group information or NSS_STATUS_NOTFOUND. It looks as though you can instruct nss_ldap to unconditionally return NSS_STATUS_NOTFOUND for a user, by adding nss_initgroups_ignoreusers user in nss_ldap.conf. I'd be interested to hear whether it works, having not tested it myself, but at the moment you're banging your head against the wall and shouting about how much it hurts. It will hurt less if you stop. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 09:08:34AM +0100, Joerg Pulz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On Tue, 13 Mar 2007, Gerhard Schmidt wrote: > > >On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > >>On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > >>>Hi, > >>Hello, > >> > >>>As I see it, nss asks all sources even if the frist one allready knows > >>>the > >>>answer. Is there a way to change this. > >> > >>man nsswitch.conf(5) > >>Look for Status codes and Actions > > > >Doesn't work. Tried the follwing nsswitch.conf > >group: files [success=return] ldap > >hosts: files dns > >networks: files > >passwd: files [success=return] ldap > >shells: files > > > >This doesn't change the delay. And the nss_ldap timeout is still reported. > >This is not supprising because the manpage states [success=return] is > >default. > > > >Seams there is a bug somewhere. > > AFAICT, there is no bug. > The behavior is completely correct as a look into the openldap code turns > out. > When starting up slapd, it tries to switch the credentials to the user and > group specified, normally ldap:ldap. Therefor it uses getpwuid(3), > getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user > and group specified is okay, it then calls getuid(3) and initgroups(3). > Reading initgroups(3) turns out the following: > > The initgroups() function uses the getgrouplist(3) function to calculate > the group access list for the user specified in name. > > Reading getgrouplist(3) turns out the following: > > The getgrouplist() function reads through the group file and calculates > the group access list for the user specified in name. > [...] > The getgrouplist() function uses the routines based on getgrent(3). > > Reading getgrent(3) turns out the following: > > The getgrent() function sequentially reads the group database and is > intended for programs that wish to step through the complete list of > groups. > [...] > The getgrent() and getgrent_r() functions make no attempt to suppress > duplicate information if multiple sources are specified in > nsswitch.conf(5). > > So after following the way through all man pages, it turns out that the > behavior is fully correct as a lookup is done to find out all groups to > which the specified slapd user belongs to. This includes lookups using > nss_ldap when ldap is configured as source for groups in nsswitch.conf. > > As a side note, a short look into the bind and cron source turns out that > these, and probably others too, also use the initgroups(3) function. yes. But still there is something missing. The Admin should have controll over this behavior. The reasonable default action for groups should be success=continue to go though all group sources. But the admin should still have the posibility to stop the process on success which is not possible right now. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpPoqYTY6DQl.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote: > On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > > On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > > > > Hello, > > > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > > the answer. Is there a way to change this. > > > > > > man nsswitch.conf(5) > > > Look for Status codes and Actions > > > > Doesn't work. Tried the follwing nsswitch.conf > > group: files [success=return] ldap > > hosts: files dns > > networks: files > > passwd: files [success=return] ldap > > shells: files > > > > This doesn't change the delay. And the nss_ldap timeout is still reported. > > This is not supprising because the manpage states [success=return] is > > default. > > > > Seams there is a bug somewhere. > > It's a well-known problem rather than a bug, and it arises when looking up > group information for a user. The system needs a list of all the groups the > user is a member of. Since it's a list, not a single answer, you can't > short-circuit the process with ``success'' after finding a single result: > initgroups(3) must work through all possible sources of group information to > build the list. I think its still a bug. You are right that all groups should be found so the default for groups should be success=continue to have this done. But when I explicily specify that on success the process should abort, it should be done exacly this way. > The only ``workaround'' I've seen suggested is the parameter introduced > recently in nss_ldap: > > nss_initgroups_ignoreusers > > It takes a comma-separated list of users for whom the nss_ldap initgroups > routine should immediately return NSS_STATUS_NOTFOUND. If you keep group > information for all the system users in /etc/group only, and add them all to > this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't > tested this). This may fix the problem with nss_ldap but its still there with other modules. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpSRTSjZBJDk.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Mar 2007, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. AFAICT, there is no bug. The behavior is completely correct as a look into the openldap code turns out. When starting up slapd, it tries to switch the credentials to the user and group specified, normally ldap:ldap. Therefor it uses getpwuid(3), getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user and group specified is okay, it then calls getuid(3) and initgroups(3). Reading initgroups(3) turns out the following: The initgroups() function uses the getgrouplist(3) function to calculate the group access list for the user specified in name. Reading getgrouplist(3) turns out the following: The getgrouplist() function reads through the group file and calculates the group access list for the user specified in name. [...] The getgrouplist() function uses the routines based on getgrent(3). Reading getgrent(3) turns out the following: The getgrent() function sequentially reads the group database and is intended for programs that wish to step through the complete list of groups. [...] The getgrent() and getgrent_r() functions make no attempt to suppress duplicate information if multiple sources are specified in nsswitch.conf(5). So after following the way through all man pages, it turns out that the behavior is fully correct as a lookup is done to find out all groups to which the specified slapd user belongs to. This includes lookups using nss_ldap when ldap is configured as source for groups in nsswitch.conf. As a side note, a short look into the bind and cron source turns out that these, and probably others too, also use the initgroups(3) function. HTH, Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFF9lwFSPOsGF+KA+MRAnI+AJ0Qu0Zr9IHHLrDL60boB3mauzMPkwCfQ3Lx Zq0odiQpNiLwC3CSDkXuepU= =S+3e -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On 3/13/07, Jonathan McKeown <[EMAIL PROTECTED]> wrote: The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers Right, now I remember that once I had this problem too... Another workaround would be to have two different nsswitch.conf files, one with and another without the ldap database entry, and then switch between them as part of ldap start / stop routines. - your system has the nsswitch.conf w/out ldap by default - when ldap starts, it substitutes it with the nsswitch.ch file w/ ldap entries - when ldap stops, it restores the original file Jonathan -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > > >Hi, > > > > Hello, > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > the answer. Is there a way to change this. > > > > man nsswitch.conf(5) > > Look for Status codes and Actions > > Doesn't work. Tried the follwing nsswitch.conf > group: files [success=return] ldap > hosts: files dns > networks: files > passwd: files [success=return] ldap > shells: files > > This doesn't change the delay. And the nss_ldap timeout is still reported. > This is not supprising because the manpage states [success=return] is > default. > > Seams there is a bug somewhere. It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers It takes a comma-separated list of users for whom the nss_ldap initgroups routine should immediately return NSS_STATUS_NOTFOUND. If you keep group information for all the system users in /etc/group only, and add them all to this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't tested this). Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 07:58:05AM +0900, Daniel Marsh wrote: > > I've run into this very same problem... but the way I got around it was > putting OpenLDAP in a jail all by its lonesome and making sure that jail > would start before anything on the host system would start that may need > LDAP... (effectively meaning the LDAP server is a different "machine") Hitting the Problem with a really big hammer. Thats cures only the symptoms not the Problem. As i see it the Problem is that the status/actions in nsswitch.conf not working. Since man nsswitch.conf stats that success=return is default an therefore ldap should never be asked for Users that are in the /etc/passwd file. I will file a Problemreport for this one. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpZd5cyZ2vQO.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > >Hi, > Hello, > > >As I see it, nss asks all sources even if the frist one allready knows the > >answer. Is there a way to change this. > > man nsswitch.conf(5) > Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpCnHmG5AcZf.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Bye Bye Estartu Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nss_ldap and openldap on the same server.
On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: Hi, I have a small problem. On my central server we run an openldap server that contains the userdata for some systems. An the server uses this ldap server for authentication and nss. The problem is that when the server is booting slapd takes a very long time to start up. I think it's trying to get an answer from ldap for the user ldap. But user ldap is in /etc/passwd and in /etc/groups My nsswitch.conf looks like this. group: files ldap hosts: files dns networks: files passwd: files ldap shells: files The system comes up but takes very long to do so (i think it's somekind of timeout) Mar 12 14:58:23 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. I've run into this very same problem... but the way I got around it was putting OpenLDAP in a jail all by its lonesome and making sure that jail would start before anything on the host system would start that may need LDAP... (effectively meaning the LDAP server is a different "machine") ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"