Package: nslcd Version: 0.8.10-4 Severity: normal File: /usr/share/man/man5/nslcd.conf.5.gz Tags: patch Usertags: fetons-linux.ch-authentication
Hi there, this could be considered a follow-up for #610925 ;-) I was adding LDAP authentication against services (i.e. PADL's pam_ldap's pam_check_service_attr) using the example in nslcd.conf.5: --8<---------------cut here---------------start------------->8--- pam_authz_search FILTER For example, to check that the user has a proper authorizedService value if the attribute is present (this almost emulates the pam_check_service_attr option in PADL's pam_ldap): (&(objectClass=posixAccount)(uid=$username)\ (|(authorizedService=$service)(!(authorizedService=*)))) --8<---------------cut here---------------end--------------->8--- However, the above allows authentication for users missing the attribute and indeed the correct filter for `ldapsearch -x` seems to be... (&(objectClass=posixAccount)(uid=$username)\ (|(authorizedService=$service)(!(authorizedService=\\*)))) ...which translates to the following nslcd filter: (&(objectClass=posixAccount)(uid=$username)\ (|(authorizedService=$service)(!(authorizedService=\\\\*)))) Thx, bye, Gismo / Luca -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages nslcd depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u1 ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1 ii libldap-2.4-2 2.4.31-1+nmu2 Versions of packages nslcd recommends: ii bind9-host [host] 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 ii host 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 ii ldap-utils 2.4.31-1+nmu2 ii libnss-ldapd [libnss-ldap] 0.8.10-4 ii libpam-ldapd [libpam-ldap] 0.8.10-4 pn nscd <none> Versions of packages nslcd suggests: pn kstart <none> -- debconf information: nslcd/ldap-sasl-realm: * nslcd/ldap-starttls: false nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt * nslcd/ldap-auth-type: simple nslcd/ldap-reqcert: * nslcd/ldap-uris: ldap://ldap.fetons-linux.ch nslcd/ldap-sasl-secprops: * nslcd/ldap-binddn: [REMOVED] nslcd/ldap-sasl-authcid: nslcd/ldap-sasl-mech: * nslcd/ldap-base: dc=fetons-linux,dc=ch nslcd/ldap-sasl-authzid:
signature.asc
Description: PGP signature