Alexander Gretha writes:
>Post your authldaprc configuration, and a sample LDAP record. > >The response from authlib indicates that the account"s UID/GID are to >be >taken from an existing system account"s userid and groupid. The system >account does not exist. > >This should be fairly easy to solve.
thanks for your answer. as i see from your answer the uid/gid have to be existing uid/gids on the system (now). up to now i have been using 10000/10000 (which are nonexistent) for my virtual domains and the real unix uids/gids for my local domains. i thought from a security point of view a non existent account is even better than a nonprevileged account. so with the new authlib this construct will (by design) not work any longer?
From a security point it is irrelevant. All that means is that the uid/gid
cannot be mapped to a name, and it is not possible to login to that uid.
But there still may be an issue with the LDAP driver. You directed my attention to a certain specific code fragment, and I think there's a problem there.
In authldaplib.c, near line 1320, replace:
if (auth.sysusername == 0)
auth.sysusername=auth.address="";with:
if (auth.sysusername == 0)
auth.sysusername="";
pgp0RVMO54LVF.pgp
Description: PGP signature
