[systemd-devel] proper way for shutdown script
grawity at gmail.com
Wed Oct 5 16:34:36 UTC 2016
On Wed, Oct 5, 2016 at 7:08 PM, Xen <list at xenhideout.nl> wrote:
> Mantas Mikulėnas schreef op 05-10-2016 14:49:
>> On Wed, Oct 5, 2016 at 1:47 PM, Xen <list at xenhideout.nl> wrote:
>>> the libnss-ldap package on my system used to contain (and still
>>> contains) a script that is run on system reboot and shutdown and
>>> installs itself into SysV directories for runlevel 0 and 6.
>> Do you mean libnss-ldapd? The standalone libnss-ldap has been
>> deprecated for quite a while (in favor of nslcd-based thin modules).
>> Also, what does this script do?
> Thanks for the hint. I had come across nslcd but it seemed more
> complicated to get it running the first time, so I opted for the smaller
> solution having only libnss-ldap. I was not actually aware (anymore) of
> I am sure it is a "better" solution I was just not sure I could get it
> running in due time.
> I also don't know what could be the difference here (I am sure there could
> The script does what I have mentioned in another email which is to exclude
> certain users and groups from being LDAP-sourced by factual enumeration:
> the script just lists all of the groups and user (I think) and puts them
> into the configuration file. It is just a bit of an ugly workaround I guess
> as to simply checking for user and group ID.
> The script probably just assumes that all user IDs and user groups start
> above a certain UID/GID.
> What you would really need is an LDAP module that would not perform
> lookups above a certain ID, but this also works, and is in a way more
> flexible and powerful.
> Even with very low timeouts LDAP queries would not be okay for system
> There is just no way you can run a (Linux) system with system groups and
> users in some LDAP database.
If you mean "would not perform lookups _below_ a certain ID", then sure,
that exists. In /etc/nslcd.conf you can specify "nss_min_uid 1000", for
example, to avoid lookups for all system UIDs.
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemd-devel