Bug 226119 - Feature request: Add ldap data source for the NSS netgroup database
Summary: Feature request: Add ldap data source for the NSS netgroup database
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.0-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: FreeBSD bugs mailing list
Depends on:
Reported: 2018-02-22 14:38 UTC by vmiller
Modified: 2018-03-07 17:11 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description vmiller 2018-02-22 14:38:36 UTC
The nsswitch.conf man page describes the sources that are currently implemented for NSS which exclude LDAP. An LDAP data source will enable FreeBSD clients to more easily integrate with central user/account management frameworks like FreeIPA & sssd.

As an illustration of problems that would be mitigated with the implementation of an ldap data source consider that a centralized user accounting and management system, particularly FreeIPA, sudo queries the data source (sss) returning netgroups which sudo responds to by subsequently calling innetgr(). When called, innetgr() loads and iterates over /etc/netgroup looking for matching entries. As netgroup grows in size, so does the amount of time required to iterate it. For example, my tests using a ~1.5MB file consisting of ~31,000 entries took 30 seconds to return a password prompt as it traversed netgroup to insure the invoking user was permitted to.

The following references describe FreeBSD deployment within a FreeIPA/sssd framework and illustrate that multiple users are deploying FreeBSD in such a configuration.