On Thu, Aug 04, 2011 at 11:41:04AM -0400, up(a)3.am wrote:
> We're having a pretty severe issue of a server/client app that is running out of
> xinetd generating nss_ldap errors when the primary LDAP server is down. The
> thing
> is, the user that this application (nagios nrpe) runs as exists in every host's
> /etc/passwd (and group) file and NOT in the Directory Server, just for this
> reason. I am wondering if this is a pam issue, but I admit I do not know to
> what
> extent that service users consult pam.
The xinetd daemon doesn't link with libpam, so I doubt it's an issue. I
think it's more likely that, because supplemental group membership is
retrieved from all available sources, xinetd is attempting to determine
which of the groups you've defined in the directory server the user is a
member of.
If that is indeed what's happening, then you'll want to look into
adjusting the value of the "nss_initgroups_ignoreusers" in nss_ldap's
configuration file.
Sounds like JUST the info I was looking for. I'm still a little puzzled as to
how/why xinetd would look to LDAP at all if PAM isn't telling it to. From
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
Since the answer is found in "files" /etc/passwd (and /etc/group), what makes
it
call nss_ldap at all?
Thanks VERY much!