[Date Prev][Date Next]
Suppress getgrent() while login with PAM/LDAP?
we experience some unpleasant misbehavior of nss_ldap while using
PAM/LDAP as authentication method for login and ftp:
Every time a user logs in, all group entries of the LDAP database are
read. This happens obviously twice, for login and password. Since we
have about 6000 group entries this takes definitly too long if not
restricted by the parameter sizelimit in slapd.conf (what seems really
The other way to suppress it is to change the nsswitch.conf to "group:
files" instead of "group: files ldap".
We cannot accept any of both solutions. Even if written in RFC 2307 that
getgrent() & Co. use the (objectclass=posixGroup) argument for searching
we are looking for a way to tell nss_ldap not to to so. Instead we could
imagine that an attribute in the user entry is used (for example
additionalGroups) to do the group lookup.
We don't want to modify the source code, so is there any configuration
possibility to get nss_ldap working in that way we want?