> On Thu, Aug 04, 2011 at 11:41:04AM -0400, up@xxxx wrote: >> We're having a pretty severe issue of a server/client app that is running out of >> xinetd generating nss_ldap errors when the primary LDAP server is down. The >> thing >> is, the user that this application (nagios nrpe) runs as exists in every host's >> /etc/passwd (and group) file and NOT in the Directory Server, just for this >> reason. I am wondering if this is a pam issue, but I admit I do not know to >> what >> extent that service users consult pam. > > The xinetd daemon doesn't link with libpam, so I doubt it's an issue. I > think it's more likely that, because supplemental group membership is > retrieved from all available sources, xinetd is attempting to determine > which of the groups you've defined in the directory server the user is a > member of. > > If that is indeed what's happening, then you'll want to look into > adjusting the value of the "nss_initgroups_ignoreusers" in nss_ldap's > configuration file. Sounds like JUST the info I was looking for. I'm still a little puzzled as to how/why xinetd would look to LDAP at all if PAM isn't telling it to. From /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap Since the answer is found in "files" /etc/passwd (and /etc/group), what makes it call nss_ldap at all? Thanks VERY much! -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
