Ubuntu
nss-pam-ldapd package

nslcd complains about / in groupnames

Bug #841660 reported by Klavs Klavsen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
New
Undecided
Unassigned

Bug Description

hosts using nslcd (and nss-ldapd) complains about group names with / in them:
nslcd[13021]: [3693ee] group entry cn=mount_test/prod,ou=Group,dc=u,dc=net contains invalid group name:
"mount_test/prod"

There's no such problem with nscd/nss-ldap. I haven't been able to find any dokumentation what is actually "officially supported" - but there was no problem creating these groups in openldap - and It's usually pretty good at vetting what it allows - so it seems it is an allowed group name.

I was hoping you could fix the "isvalidname" or whatever function is used to check group names - to allow /.

Arthur de Jong (adejong)
affects: nss-ldapd (Ubuntu) → nss-pam-ldapd (Ubuntu)
Revision history for this message
Arthur de Jong (adejong) wrote :

nss-pam-ldapd has reasonably strict checking of user and group names to avoid problematic users existing by accident on the system. Version 0.8.2 introduces the validnames option that allows you to set a regular expression that will be used to filter valid names.

Note that nslcd is completely separate from nscd. libnss-ldapd requires nslcd and recommends nscd to ease the load on the LDAP server. libnss-ldap doesn't use nslcd and also recommends nscd for the same reason.

Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

Well - the validnames option only appears in the config file for v0.8.2 of nslcd.conf.

I realize the difference between nslcd and nscd - another sysadmin switched our Ubuntu 10.04 installs to using libpam-ldapd (which requires nslcd) to fix some problem with the old package - which I cannot replicate and he cannot remember entirely :)

The version in Ubuntu Lucid is unfortunately 0.7.2 - so the very welcome validnames option in v0.8.2 is really not helpful, as I can only run LTS versions in my production environment.

Would you welcome a patch against the 0.7.2 package, which added the validnames option ?

Revision history for this message
Arthur de Jong (adejong) wrote : Re: [Bug 841660] Re: nslcd complains about / in groupnames

On Tue, 2011-09-06 at 06:23 +0000, Klavs Klavsen wrote:
> The version in Ubuntu Lucid is unfortunately 0.7.2 - so the very welcome
> validnames option in v0.8.2 is really not helpful, as I can only run LTS
> versions in my production environment.
>
> Would you welcome a patch against the 0.7.2 package, which added the
> validnames option ?

I'm not responsible for the Ubuntu package (I'm upstream) so can't
comment on that part but the implementation of the validnames option in
the 0.8 series is here:
  http://arthurdejong.org/viewvc/nss-pam-ldapd/?revision=1411&view=revision
with another small change here:
  http://arthurdejong.org/viewvc/nss-pam-ldapd/?revision=1419&view=revision

Another option would be to just allow the slash in nslcd/common.c.

If Ubuntu is considering updating this package in their LTS release
anyway it may also be a good idea to look at all the other things that
have been fixed in the 0.7 series. Quite a few bugs were fixed and
Debian ships 0.7.13 in stable which is much better tested than 0.7.2.

Thanks,

--
-- arthur - <email address hidden> - http://people.debian.org/~adejong --

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.