[Date Prev][Date Next] [Chronological] [Thread] [Top]

Suppress getgrent() while login with PAM/LDAP?

To: OpenLDAP Software <openldap-software@OpenLDAP.org>, support@padl.com
Subject: Suppress getgrent() while login with PAM/LDAP?
From: Stefan Brohs <sbrohs@iprimus0800.net>
Date: Sun, 08 Jul 2001 10:17:53 +0200
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20010131 Netscape6/6.01

Hi all,

we experience some unpleasant misbehavior of nss_ldap while using PAM/LDAP as authentication method for login and ftp:

Every time a user logs in, all group entries of the LDAP database are read. This happens obviously twice, for login and password. Since we have about 6000 group entries this takes definitly too long if not restricted by the parameter sizelimit in slapd.conf (what seems really uncool).

The other way to suppress it is to change the nsswitch.conf to "group: files" instead of "group: files ldap".

We cannot accept any of both solutions. Even if written in RFC 2307 that getgrent() & Co. use the (objectclass=posixGroup) argument for searching we are looking for a way to tell nss_ldap not to to so. Instead we could imagine that an attribute in the user entry is used (for example additionalGroups) to do the group lookup.

We don't want to modify the source code, so is there any configuration possibility to get nss_ldap working in that way we want?

Thanks,
Stefan Brohs

Follow-Ups:
- Re: Suppress getgrent() while login with PAM/LDAP?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: SASL Authentication for root dn
Next by Date: Accessing Active Directory
Index(es):
- Chronological
- Thread