From estartu@phobos.ze.tum.de  Tue Mar 13 08:13:15 2007
Return-Path: <estartu@phobos.ze.tum.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 81AA116A411
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Mar 2007 08:13:15 +0000 (UTC)
	(envelope-from estartu@phobos.ze.tum.de)
Received: from phobos.ze.tum.de (phobos.ze.tum.de [129.187.39.55])
	by mx1.freebsd.org (Postfix) with ESMTP id 272CD13C45B
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Mar 2007 08:13:14 +0000 (UTC)
	(envelope-from estartu@phobos.ze.tum.de)
Received: from phobos.ze.tum.de (localhost [127.0.0.1])
	by phobos.ze.tum.de (8.13.8/8.13.8) with ESMTP id l2D7g0Cd000924
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Mar 2007 08:42:00 +0100 (CET)
	(envelope-from estartu@phobos.ze.tum.de)
Received: (from estartu@localhost)
	by phobos.ze.tum.de (8.13.8/8.13.8/Submit) id l2D7g0PW000923;
	Tue, 13 Mar 2007 08:42:00 +0100 (CET)
	(envelope-from estartu)
Message-Id: <200703130742.l2D7g0PW000923@phobos.ze.tum.de>
Date: Tue, 13 Mar 2007 08:42:00 +0100 (CET)
From: Gerhard Schmidt <estartu@augusta.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: success=return aktion doesn't work in /etc/nsswitch.conf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         110252
>Category:       conf
>Synopsis:       success=return aktion doesn't work in /etc/nsswitch.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 13 08:20:14 GMT 2007
>Closed-Date:    Fri May 18 02:40:39 GMT 2007
>Last-Modified:  Fri May 18 02:40:39 GMT 2007
>Originator:     Gerhard Schmidt
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
Augsburger Computer Forum e.V.	
>Environment:
System: FreeBSD phobos.ze.tum.de 6.2-STABLE FreeBSD 6.2-STABLE #2: Thu Mar 8 15:21:55 CET 2007 root@phobos.ze.tum.de:/usr/src/sys/i386/compile/PHOBOS i386

	
>Description:
I have a FreeBSD Server that run a OpenLDAP server which holds the
Userinfos for some FreeBSD systems including himself. The user ldap is
in /etc/passwd and the group ldap is in /etc/group. 

/etc/nsswitch.conf looks the following 

group: files [success=return] ldap 
hosts: files dns
networks: files
passwd: files [success=return] ldap
shells: files

When the system boots the bootup blocks for 2-3 Minutes when starting
OpenLDAP. The Log states the following. 

Mar 13 08:13:13 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable

As I understand the success=return statement, ldap should never be asked
when a user or group is in the files. But it sill is. And when the system
is up an running the ldap server is queried for every user in the files.
This is a security issue too. Every user search is send to all sources in
nsswitch.conf. 

>How-To-Repeat:
Do the setup described and do a finger on a user in /etc/passwd you will
see a query to the ldapserver. 
>Fix:
n/k
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: jon 
State-Changed-When: Fri May 18 02:10:36 UTC 2007 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=110252 
State-Changed-From-To: closed->open 
State-Changed-By: jon 
State-Changed-When: Fri May 18 02:23:22 UTC 2007 
State-Changed-Why:  
oops, didn't mean to do that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=110252 
State-Changed-From-To: open->closed 
State-Changed-By: jon 
State-Changed-When: Fri May 18 02:28:17 UTC 2007 
State-Changed-Why:  
(yes, I really mean to close it this time) 

This is not a bug, this is the expected behavior. 

When a user logs in to a system, a group list is created for the user which contains the list of all groups the user belongs to.  The only way you can get such a list is to query all sources of group information for groups.  When openldap starts, it calls the initgroups() function, which creates such a list.  Openldap does this to ensure the user it changes to is in all the correct groups, so it can access all the files that you might think it should have access to. 

Similarly, finger by default matches the arguments you give it with both the username and gecos name of the user, and return finger information for all matches.  Again, the only way it could do this is to walk through the entire list of all users, which requires accessing all data sources.  You can tell finger to match only the exact username with the -m flag, in which case it will only consult the files database if the user is in there. 

Incidentally, success=return is the default behavior, you don't need to specify it. 

To get around this, you can either: 
1) run openldap as the root user, in which case it won't initgroups(). 
2) edit openldap source and comment out the section doing initgroups(). 
3) change the timeout value in your nss_ldap config to a more appropriate value (bind_timeout might do the trick) 
4) don't run the ldap server on a machine that requires ldap. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=110252 
>Unformatted:
