Re: observation: masses of requests to LDAP

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

On Jan 22 15:32, Tobias Wendorff via Cygwin wrote:
> Hi there,
> 
> our IT department has informed me that masses of requests are being sent
> from my computer to our two LDAP servers on port 389. After a detailed
> investigation, the problem could be clearly traced back to "cygwin".
> 
> Firewall logs show that about any tool, even base tools "sort" or "less",
> initiates a request to port 389 on our LDAP servers.
> 
> Sorry, I am _not_ going to release "cygcheck.out" to public, since it
> contains sensitive information about the domain and its groups and
> memberships.
> 
> Even after reinstalling cygwin from another server, the problem still
> appears. Could it be that this is part of an attack?

No, it's working as designed.  User info is fetched from AD via LDAP.
If it's an overwhemling number of LDAP requests, I suspect you're
often calling Cygwin processes from Windows directly, e. g., from
CMD or powershell.  The number of LDAP requests should be much
reduced when working from a Cygwin shell, e.g., from bash in mintty
due to user and group info cashing within a Cygwin process tree
(Cygwin child processes get the cashed info from their Cygwin parent).

If you want to reduce LDAP access even further, you can either
go back to creating local /etc/passwd and /etc/group files and
change /etc/nsswitch.conf accordingly(*), or you can start cygserver
as a service in background(**).


HTH,
Corinna

(*)  https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch
(**) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-caching