[systemd-devel] proper way for shutdown script

Mantas Mikulėnas grawity at gmail.com
Wed Oct 5 16:34:36 UTC 2016 

On Wed, Oct 5, 2016 at 7:08 PM, Xen <list at xenhideout.nl> wrote:

> Mantas Mikulėnas schreef op 05-10-2016 14:49:
>
>> On Wed, Oct 5, 2016 at 1:47 PM, Xen <list at xenhideout.nl> wrote:
>>
>> Hi,
>>>
>>> the libnss-ldap package on my system used to contain (and still
>>> contains) a script that is run on system reboot and shutdown and
>>> installs itself into SysV directories for runlevel 0 and 6.
>>>
>>
>> Do you mean libnss-ldapd? The standalone libnss-ldap has been
>> deprecated for quite a while (in favor of nslcd-based thin modules).
>>
>> Also, what does this script do?
>>
>
> Thanks for the hint. I had come across nslcd but it seemed more
> complicated to get it running the first time, so I opted for the smaller
> solution having only libnss-ldap. I was not actually aware (anymore) of
> libnss-ldapd.
>
> I am sure it is a "better" solution I was just not sure I could get it
> running in due time.
>
> I also don't know what could be the difference here (I am sure there could
> be).
>
> The script does what I have mentioned in another email which is to exclude
> certain users and groups from being LDAP-sourced by factual enumeration:
> the script just lists all of the groups and user (I think) and puts them
> into the configuration file. It is just a bit of an ugly workaround I guess
> as to simply checking for user and group ID.
>
> The script probably just assumes that all user IDs and user groups start
> above a certain UID/GID.
>
> What you would really need is an LDAP module that would not perform
> lookups above a certain ID, but this also works, and is in a way more
> flexible and powerful.
>
> Even with very low timeouts LDAP queries would not be okay for system
> groups.
>
> There is just no way you can run a (Linux) system with system groups and
> users in some LDAP database.
>

If you mean "would not perform lookups _below_ a certain ID", then sure,
that exists. In /etc/nslcd.conf you can specify "nss_min_uid 1000", for
example, to avoid lookups for all system UIDs.

-- 
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20161005/ce8dd79d/attachment.html>

More information about the systemd-devel mailing list