https://bugzilla.novell.com/show_bug.cgi?id=242520 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |jsuchome@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #2 from rhafer@novell.com 2007-02-13 03:25 MST ------- IIRC we used the nss_compat with ldap because we needed an easy was to deny shell access to all LDAP users on a machine (without touching all the separate pam config files). But if nss_compat really uses setgrent/getgrent to emulate the initgroups function we should better switch away from it. But from a quick look at the source it does seem that if the underlying module (nss_ldap in this case) support initgroups, it uses initgroups and only does a fallback if initgroups is not implemented in the module. I must admit though, that I am not very familiar with the nss_compat code. Thorsten might know it better ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |forsberg@cendio.se ------- Comment #4 from rhafer@novell.com 2007-02-13 03:37 MST ------- Erik, how did you come to the conclusion that nss_compat does not support initgroups() ? Looking at the code? Testing? How did you test? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jsuchome@novell.com |pbaudis@novell.com ------- Comment #6 from rhafer@novell.com 2007-02-13 04:54 MST ------- nss_compat indeed seems to do something different than plain nss_ldap. In its initgroups() function, it calls getgrgid() for every group that the initgroups() call of nss_ldap return. That can of course result indeed in a lot of more LDAP queries than when nss_ldap is used directly. One addtional query for each group and one addtional query for each member of that groups (when "groupOfNames" groups are used, which is our default). That will hurt especially when many large groups are used. This is a comment from the initgroups() function of nss_compat: /* For every gid in the list we get from the NSS module, get the whole group entry. We need to do this, since we need the group name to check if it is in the blacklist. In worst case, this is as twice as slow as stepping with getgrent_r through the whole group database. But for large group databases this is faster, since the user can only be in a limited number of groups. */ I have no idea what this blacklist is for that is mentioned there. Petr, Thorsten any idea how things can be improved here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #8 from rhafer@novell.com 2007-02-13 06:09 MST ------- (In reply to comment #7)

So with "compat", we have to live with the overhead. Then I would rather go for the "files ldap" approach and live with the requirement to reboot the machine. That is just a one-time thing, while the overhead of nss_compat would always be present and can get quite big in large environments.

We would also need a way to disallow non-local user shell access on a machine, while still having access to other service (e.g. imap). It should be possible with nss_override_attribute_value in /etc/ldap.conf which is new in nss_ldap since some releases. It might also be possible through pam_ldap (with a combination of pam_check_host_attr and pam_check_service_attr). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #10 from kukuk@novell.com 2007-02-19 03:40 MST ------- glibc never rereads /etc/nsswitch.conf. So all already running deaemons will never see the change and will not use ldap. So you have to restart everything or, easier, reboot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #12 from kukuk@novell.com 2007-02-19 04:04 MST ------- I think the problem is more that the interface is not designed to give all memory free and restart the subsystem. So you will have a memory leak here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #14 from kukuk@novell.com 2007-02-19 09:00 MST ------- (In reply to comment #13)

(In reply to comment#10) I don't know about suse, but other distributions (Debian, Fedora Core) has a list of daemons it restarts when glibc is restarted. The same list could perhaps be used to let Yast restart daemons after changes to nsswitch.conf?

YaST2 has already such a list, like the other distributions. And like the other distributions you will always miss daemons or restart them in the wrong order. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |forsberg@cendio.se ------- Comment #16 from rhafer@novell.com 2007-03-15 07:29 MST ------- (In reply to comment #15)

In case we want to avoid these troubles, the other possible way is to ask the user whether to use the straight or the compat way during nss_ldap installation. It's a bit crude but probably the most reasonable solution...? Most users will have no idea about the differences between both approaches. Such a question will only confuse them. If we can't improve the performance with "compat" we should IMO switch to "files ldap" or "compat ldap" (if that make sense) and tell the user to reboot (behave similar to what the Windows Domain Membership YaST module does).

Thorsten, Petr are there any other problem with using "files ldap" than the needed reboot and the different way to deny shell access with "file ldap" (see comment #8). What would be better "files ldap" or "compat ldap"? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 cwinberg@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cwinberg@novell.com ------- Comment #18 from cwinberg@novell.com 2007-03-15 11:35 MST ------- Some interesting test data from Customer DIB Test machine is a SLES9sp3. Tracing user login to NDS ldap server. With nsswitch.conf set to "files ldap": LDAP binds 6 LDAP Searches 1767 LDAP compare 1 With nsswitch.conf set to "compat" LDAP bind 5 LDAP search 1729 LDAP compare 1 With nsswitch.conf set to "ldap files" LDAP bind 4 LDAP search 1729 LDAP compare 1 With nsswitch set to "ldap" LDAP bind 6 LDAP search 1768 LDAP compare 1 RHES server with same ldap config LDAP bind 5 LDAP search 11 LDAP compare 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #20 from cwinberg@novell.com 2007-03-15 13:19 MST ------- Interesting data from this config: passwd: ldap files group: ldap hosts: files dns networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files #passwd_compat: ldap #group_compat: ldap ***********packet trace data***************** LDAP binds 3 LDAP search 2 LDAP compare 1 Is this config present any one with a problem? It sure is fast. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #22 from rhafer@novell.com 2007-03-16 09:45 MST ------- I did some more tests by myself now. System was openSUSE 10.3alpha2. nscd was not running. The LDAP Server has 1000 users, primary group of the testuser that 1000 members and the user was a (secondary) member of another group which had 1000 members as well. compat: Binds: 7 Searches: 2030 files ldap: Binds: 6 Searches: 1021 My Fedore Core 6 test machine gave me this results: Binds: 8 Searches: 20 The difference between 10.3 with compat and 10.3 with files ldap is caused by additional getgrgid() calls that nss_compat does (see comment #6). It took me a little longer to find out why 10.3 with "files ldap" does still a 1000 searches more than the FC6 system. But I figured that those queries are done while executing the /etc/profile script. One of the first things that our /etc/profile script does is "/bin/ls -l /proc/$$/exe" during which another getgrgid() call happens. After removing that "/bin/ls -l /proc/$$/exe" command from /etc/profile the results were similar to the result from the FC6 system. When nscd is running the result are of course only true for the first login attempt (and cold nscd caches). Subsequent logins just need some LDAP queries for pam_ldap the getgrgid() results are directly provided by nscd. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|kukuk@novell.com | ------- Comment #24 from kukuk@novell.com 2007-03-19 04:11 MST ------- No, should not. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #26 from cwinberg@novell.com 2007-03-19 07:54 MST ------- I have my customer's nds dibs configured in Provo if you would like to see how my customer has implemented PAM ldap. Tree: Transunion Admin ID: ".admin.services" passwd: "novell" TUXMLPOS 151.155.134.68 NETAPP1_PROD 151.155.134.77 Test authentication IDs cn=cwinber,o=assocaites passwd "biteme36" cn=bobo,o=assocaites passwd "biteme36" If you have a Linux system that you want to observe, modify either of the two test IDs with Console1, select the "other tab" then add the name of your local server to the "hosts" tab and you will be good to go. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |LATER ------- Comment #28 from rhafer@novell.com 2007-03-20 08:18 MST ------- This is now tracked as a Feature Request via Fate. Fate-Id is #302064. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=242520 ------- Comment #30 from rhafer@novell.com 2007-03-20 09:09 MST ------- (In reply to comment #29)

Umm.. what does that mean, exactly? Is Fate a system I can access to see further progress on this bug? Fate is our Feature Tracking tool. AFAIK it is not opened to the public (yet?)

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.