getent passwd when nsswitch passwd setting is: files ldap

password ldap nsswitch
17,537

getent will return whatever the results are for whichever "database" you specify. It determines what backends to use when constructing this "database" based on the contents of /etc/nsswitch.conf.

getent lists its "databases" when you query its usage page, getent --help.

Supported databases:
ahosts ahostsv4 ahostsv6 aliases ethers group gshadow hosts initgroups
netgroup networks passwd protocols rpc services shadow

To my knowledge, there is no way to disable its behavior of providing all the results for the various backends that are configured in /etc/nsswitch.conf.

getent and /etc/nsswitch.conf are both part of the nss (Name Service Switch).

Excerpt from nss man page

Each call to a function which retrieves data from a system database like the password or group database is handled by the Name Service Switch implementation in the GNU C library. The various services provided are implemented by independent modules, each of which naturally varies widely from the other.

The default implementations coming with the GNU C library are by default conservative and do not use unsafe data. This might be very costly in some situations, especially when the databases are large. Some modules allow the system administrator to request taking shortcuts if these are known to be safe. It is then the system administrator's responsibility to ensure the assumption is correct.

There are other modules where the implementation changed over time. If an implementation used to sacrifice speed for memory consumption it might create problems if the preference is switched.

Backends

There are a variety of these, too many to cover here. But suffice to say, there are backends such as sssd (sss/LDAP), NIS, and NIS+ to name a few.

So depending on which your system has specified in your /etc/nsswitch.conf file, will influence what output getent shows when a given "database" is queried, such as getent passwd.

References

Share:
17,537

Related videos on Youtube

Gregg Leventhal
Author by

Gregg Leventhal

Updated on September 18, 2022

Comments

  • Gregg Leventhal
    Gregg Leventhal almost 2 years

    If /etc/nsswitch.conf has:

    passwd:     files ldap

    this line in it, and I do getent passwd will it first run down the /etc/passwd list and then go through every user in LDAP? That seems to be what's happens.

    I tried it on a Red Hat server and it was scrolling thousands of lines when /etc/passwd is only 36 lines.

    • Tam Borine
      Tam Borine over 10 years
      What you describe seems to me perfectly normal. When you use LDAP, getent passwd will list all users (local + ldap)
    • Gregg Leventhal
      Gregg Leventhal over 10 years
      Thanks, it's very possible that it is normal. I am fairly new to using LDAP with Linux. Previously I managed users using a configuration management utility.
  • Stéphane Chazelas
    Stéphane Chazelas over 10 years
    only for the NSS providers that enable enumeration. For instance, with sss, you can disable enumeration for some domains.
  • GhostLyrics
    GhostLyrics almost 7 years
    The sssd howto link is dead.
  • slm
    slm almost 7 years
    @GhostLyrics - changed link

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Where are passwords stored?
Cannot login into new install of OpenLDAP
Disabling a user's ability to change password on Active Directory
Changing LDAP password without using LdapAdmin
Open LDAP Authentication - How to verify userPassword without bind?
How to change expired LDAP user password under linux?
Suggestions for using Active Directory credentials (user name/password) with Google Apps?
Unknown LDAP cn=config admin password
Samba passwords expiring in x days - how do we fix them to not expire
Changing password in multiple boxes using script