Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote:
> Why it it defined that getgrouplist() and initgroups() _always_
> enumerate all NSS goups?
Just think about the simple case when an user defined in /etc/passwd is
also a member of a group that is only defined in LDAP. getgrouplist()
and initgroups() MUST support this.
Or an other viewpoint: when enumerating entries neither the "SUCCESS"
nor the "NOTFOUND" conditions occur until all backends are exhausted, so
[SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration.
Btw. both the nsswitch.conf man page and the glibc documentation say:
The second item in the specification gives the user much finer
control on the lookup process.
So they only mention the _lookup_ process (i.e. getXXbyYY()), they do
not say that action statements would have any effect on enumeration.
> This can cause problems for system daemons. For
> instance apache2 does an initgroups every time it spawns a thread, which
> results in my ldap servers being pounded when I have high load on my
> webservers. Nscd is a possible solution to the problem, but the version
> in stable does not cache initgroup requests, and the version in unstable
> invalidates them prematurely. Having the ability to not search other
> databases for local name service lookups seems like a valuable function.
That is a well-known scenario and the usual advice is "do not use LDAP
as the group NSS backend".
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
Reply to: