Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

["Jesse W. Hathaway" <jesse@mbuki-mvuki.org>]

> On Fri, Apr 28, 2006 at 10:51:38AM -0400, Jesse W. Hathaway wrote:
> 
> > I do understand why this feature is needed. However, the additional 
> > feature of having the ability to disable this function is also needed.
> > It is quite common to not have any of the users, used for system
> > daemons, to be included in groups found in network directories. It seems
> > needless to query network directories for system daemons such as apache.
> 
> Yes, in some cases such a feature would be useful, but that feature
> currently does not exist.
> 
> > Enumeration is a lookup process, so I still think the man page is
> > unclear, as to what effect the action statement will have in the group
> > database option.
> 
> The documentation might be improved, but the documentation of SUCCESS
> talks about the "wanted entry" and the documentation of NOTFOUND talks
> about "the needed value", both terms having no meaning for enumeration.
> Well, you can interpret those terms as "all possible entries"; either
> way you get that SUCCESS and NOTFOUND action rules have no effect on
> enumeration.
> 
> > Given that one of the main features of LDAP and NIS are consistent
> > groups across all machines, I think it would be beneficial to support
> > querying network directories selectively.
> 
> I think the reason this was not solved much easier is that it is not a
> problem for NIS/NIS+. They need much less resources than LDAP.
> Enumerating over a couple thousand users using NIS+ was not a problem
> when I last did it; doing the same with LDAP produces quite a
> significant load.

This might be the case, that NIS handles the queries faster, however
with either directory server, the loss of network connectivity should not
impact the system daemons. A laptop is a good example of a system where 
this situation occurs on a regular basis.