[389-users] xinetd app LDAP errors when LDAP server is down for non-LDAP user
up at 3.am
up at 3.am
Fri Aug 5 21:01:27 UTC 2011
> On Thu, Aug 04, 2011 at 11:41:04AM -0400, up at 3.am wrote:
>> We're having a pretty severe issue of a server/client app that is running out of
>> xinetd generating nss_ldap errors when the primary LDAP server is down. The
>> thing
>> is, the user that this application (nagios nrpe) runs as exists in every host's
>> /etc/passwd (and group) file and NOT in the Directory Server, just for this
>> reason. I am wondering if this is a pam issue, but I admit I do not know to
>> what
>> extent that service users consult pam.
>
> The xinetd daemon doesn't link with libpam, so I doubt it's an issue. I
> think it's more likely that, because supplemental group membership is
> retrieved from all available sources, xinetd is attempting to determine
> which of the groups you've defined in the directory server the user is a
> member of.
>
> If that is indeed what's happening, then you'll want to look into
> adjusting the value of the "nss_initgroups_ignoreusers" in nss_ldap's
> configuration file.
Sounds like JUST the info I was looking for. I'm still a little puzzled as to
how/why xinetd would look to LDAP at all if PAM isn't telling it to. From
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
Since the answer is found in "files" /etc/passwd (and /etc/group), what makes it
call nss_ldap at all?
Thanks VERY much!
More information about the 389-users
mailing list