getent passwd when nsswitch passwd setting is: files ldap
getent
will return whatever the results are for whichever "database" you specify. It determines what backends to use when constructing this "database" based on the contents of /etc/nsswitch.conf
.
getent
lists its "databases" when you query its usage page, getent --help
.
Supported databases:
ahosts ahostsv4 ahostsv6 aliases ethers group gshadow hosts initgroups
netgroup networks passwd protocols rpc services shadow
To my knowledge, there is no way to disable its behavior of providing all the results for the various backends that are configured in /etc/nsswitch.conf
.
getent
and /etc/nsswitch.conf
are both part of the nss (Name Service Switch).
Each call to a function which retrieves data from a system database like the password or group database is handled by the Name Service Switch implementation in the GNU C library. The various services provided are implemented by independent modules, each of which naturally varies widely from the other.
The default implementations coming with the GNU C library are by default conservative and do not use unsafe data. This might be very costly in some situations, especially when the databases are large. Some modules allow the system administrator to request taking shortcuts if these are known to be safe. It is then the system administrator's responsibility to ensure the assumption is correct.
There are other modules where the implementation changed over time. If an implementation used to sacrifice speed for memory consumption it might create problems if the preference is switched.
Backends
There are a variety of these, too many to cover here. But suffice to say, there are backends such as sssd
(sss/LDAP), NIS, and NIS+ to name a few.
So depending on which your system has specified in your /etc/nsswitch.conf
file, will influence what output getent
shows when a given "database" is queried, such as getent passwd
.
References
Related videos on Youtube
Gregg Leventhal
Updated on September 18, 2022Comments
-
Gregg Leventhal almost 2 years
If
/etc/nsswitch.conf
has:passwd: files ldap
this line in it, and I do
getent passwd
will it first run down the/etc/passwd
list and then go through every user in LDAP? That seems to be what's happens.I tried it on a Red Hat server and it was scrolling thousands of lines when
/etc/passwd
is only 36 lines.-
Tam Borine over 10 yearsWhat you describe seems to me perfectly normal. When you use LDAP,
getent passwd
will list all users (local + ldap) -
Gregg Leventhal over 10 yearsThanks, it's very possible that it is normal. I am fairly new to using LDAP with Linux. Previously I managed users using a configuration management utility.
-
-
Stéphane Chazelas over 10 yearsonly for the NSS providers that enable enumeration. For instance, with
sss
, you can disable enumeration for some domains. -
GhostLyrics almost 7 yearsThe sssd howto link is dead.
-
slm almost 7 years@GhostLyrics - changed link