Every user queried when one user logs in

[Gerrard Geldenhuis <Gerrard.Geldenhuis@betfair.com>]

Hi
My question probably straddles both PAM and LDAP so please scan it to the bottom before outrightly dismissing it as being mis-posted.
I am not sure if this is by design but when I login as a user to a box with LDAP enabled I see a search request for every possible user in my dirctory. This breaks my test system if I have more than 10 000 users, while is unlikely that I would have so many users I would still like to optimize the LDAP query to be slightly less verbose.

I have added nss_base directive which I did not have to optimize the search but it has not had the desired effect I had hoped for, it has in fact added an additional 70 odd packets to the average network capture when a user authenticates.

my /etc/ldap.conf:


binddn          uid=SysAuth,ou=Service Accounts,dc=mycompany
bindpw          secret
pam_password clear
base            dc=betfair
nss_base_passwd         ou=people,dc=mycompany?sub
nss_base_group          ou=Groups,dc=mycompany?sub
nss_base_group          ou=PrivateGroups,dc=mycompany?sub
nss_base_group          ou=SystemGroups,dc=mycompany?sub


sizelimit                       1000
idle_timelimit                  5
timelimit                       10
bind_timelimit                  5
nss_reconnect_tries             1
nss_reconnect_maxconntries      1
nss_reconnect_sleeptime         1
nss_reconnect_maxsleeptime      1
nss_reconnect_maxconntries      1

I have also played around with various debug levels in /etc/ldap.conf but I have not really been succesfull in matching requests I see there to requests I see in wireshark. The man page in centos (man pam_ldap and nss_ldap ) also does not make any mention of available log levels or what they do. I have also scanned the source code for some more info on log levels but did not find anything usefull. If it is in the source code then please point me to it.

I have gone through the pam list logs and the closest I could find was a the following thread:
https://www.redhat.com/archives/pam-list/2009-September/thread.html and a similar thread in December 2010.  This threads although similar is related to groups and my problem is with every user being queried.

I am also 

I am 90% certain that is a config error on my part but I have not been able to find that error yet and would welcome any assistance in finding the problem.

My system-auth in /etc/pam.d/ looks as follows:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so  use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so debug
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Using CentOS release 5.4

Best Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________