LDAP question

[Frank Sorenson]

Mike Lovell wrote:
> I am trying to get an LDAP working for an environment that I have. 
> Currently, the LDAP is working an I can authenticate the LDAP and 
> everything is working fine. The one complaint I have is that one user 
> or group lookup where the local account information is sufficient, 
> there is still an query going again LDAP. Does anyone know if it is 
> possible to configure things so that if there is a result found in 
> /etc/passwd and /etc/group to then not do a query against the LDAP? I 
> am wanting to deploy this in an environment that is doing a ton of 
> file operations as a particular user that is already on the local 
> machines and I don't want queries hitting the LDAP all of the time and 
> killing it. I know nscd will cache the info but I am wanting to not 
> hit the LDAP for that user at all. Here is what I have in my 
> nsswitch.conf.
The nsswitch.conf looks fine.  I'd look into the ordering of the pam 
stack.  Check for references to pam_ldap.so in the 
/etc/pam.d/system-auth or service-specific configuration, and make sure 
that the ordering there only goes to ldap if it's not found locally.  
For example:

|auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so|

and

|account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so|


Frank