Bug#740662: nslcd: missing escaping in pam_check_service_attr example

Mon, 03 Mar 2014 13:09:25 -0800 

Package: nslcd
Version: 0.8.10-4
Severity: normal
File: /usr/share/man/man5/nslcd.conf.5.gz
Tags: patch
Usertags: fetons-linux.ch-authentication

Hi there,

this could be considered a follow-up for #610925 ;-)

I was adding LDAP authentication against services (i.e. PADL's
pam_ldap's pam_check_service_attr) using the example in nslcd.conf.5:

--8<---------------cut here---------------start------------->8---
pam_authz_search FILTER

       For example, to check that the user has a proper
       authorizedService value if the attribute is present (this almost
       emulates the pam_check_service_attr option in PADL's pam_ldap):

       (&(objectClass=posixAccount)(uid=$username)\
         (|(authorizedService=$service)(!(authorizedService=*))))
--8<---------------cut here---------------end--------------->8---

However, the above allows authentication for users missing the attribute
and indeed the correct filter for `ldapsearch -x` seems to be...

  (&(objectClass=posixAccount)(uid=$username)\
    (|(authorizedService=$service)(!(authorizedService=\\*))))

...which translates to the following nslcd filter:

  (&(objectClass=posixAccount)(uid=$username)\
    (|(authorizedService=$service)(!(authorizedService=\\\\*))))

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nslcd depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u1
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libldap-2.4-2          2.4.31-1+nmu2

Versions of packages nslcd recommends:
ii  bind9-host [host]           1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii  host                        1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii  ldap-utils                  2.4.31-1+nmu2
ii  libnss-ldapd [libnss-ldap]  0.8.10-4
ii  libpam-ldapd [libpam-ldap]  0.8.10-4
pn  nscd                        <none>

Versions of packages nslcd suggests:
pn  kstart  <none>

-- debconf information:
  nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: simple
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.fetons-linux.ch
  nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: [REMOVED]
  nslcd/ldap-sasl-authcid:
  nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=fetons-linux,dc=ch
  nslcd/ldap-sasl-authzid:

Attachment: signature.asc
Description: PGP signature

Reply via email to