[Date Prev][Date Next] [Chronological] [Thread] [Top]

Suppress getgrent() while login with PAM/LDAP?

Hi all,

we experience some unpleasant misbehavior of nss_ldap while using PAM/LDAP as authentication method for login and ftp:

Every time a user logs in, all group entries of the LDAP database are read. This happens obviously twice, for login and password. Since we have about 6000 group entries this takes definitly too long if not restricted by the parameter sizelimit in slapd.conf (what seems really uncool).

The other way to suppress it is to change the nsswitch.conf to "group: files" instead of "group: files ldap".

We cannot accept any of both solutions. Even if written in RFC 2307 that getgrent() & Co. use the (objectclass=posixGroup) argument for searching we are looking for a way to tell nss_ldap not to to so. Instead we could imagine that an attribute in the user entry is used (for example additionalGroups) to do the group lookup.

We don't want to modify the source code, so is there any configuration possibility to get nss_ldap working in that way we want?

Stefan Brohs