How to use same library more than once in Name Service Switch (NSS)

Is there any generic solution to use a single NSS library two (or more) times?

In my case I have two LDAP servers, one local on the machine itself and one remote. I need to make NSS work with both of them (it uses the remote one if local doesn’t have required entries).

Currently it was solved so that single library (PADL/nss_ldap) is build twice. In both cases before building sed is used to change all nss_ldap occurences in sources to something else. For each case a different text is used (like nss_ldap_1 and nss_ldap_2). The build result is renamed accordingly. Both binaries are stored on target system and referred to in /etc/nsswitch.conf.

Also both of those libraries use different configuration files in /etc/ (otherwise it wouldn’t make any sense!). This however is done easily by just changing argument in in configure script of the library run before building.

But it doesn’t “feel right”. Is there any other approach?

What I could imagine is that NSS library itself could support multiple configurations so that it would work as two “single instances”. But this is hard to achieve if you are not author of the library. Also it requires subsequent invocation of the library for both configurations while one might prefer to have some other library in between.

Another approach would be to write a simple forwarder that just calls some other library with different configuration. But this again requires that other library be somehow reconfigurable (if it just uses some fixed config files in /etc the forwarder will work just as the first version). And also it works only once – to have a library used three times or more the same problem returns now with forwarder itself.

Asked By: Adam Badura


Unfortunately, you can’t do this with the NSS implementation of GNU libc. You noticed the fundamental problem, just let me present it from a different angle: the nsswitch.conf syntax does not allow for providing any additional info to the NSS service modules, thus they couldn’t behave differently on repeated invocations anyway. So it isn’t supported from the libc side nor from the module side. Moreover, glibc makes a point of keeping the service modules directly linkable shared objects, which excludes any linking trickery.

What you can do instead is to create a meta directory out of your two LDAP directories and use that in your NSS config. OpenLDAP supports this nicely, see the slapd-meta(5) manual page or this merge intro for example. Of course you don’t need a new slapd instance for this if you can configure either of the two.

(And instead of nss-ldap use nss-ldapd if you can.)

Answered By: Ferenc Wágner
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.