Package: nslcd Version: 0.7.13 Severity: normal Hi there!
This bug is a (sorf of) follow-up for #610888 (thank you Arthur for the quick reply). According to the nslcd.conf manpage [1], the pam_check_host_attr option in PADL's pam_ldap can be emulated with the following filter for pam_authz_search: (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(!(host=*)))) [1] <http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search> However, the result is not the same as with the default behavior of pam_check_host_attr, at least for 2 reasons: 1) 'host=*' is not honoured I am not an LDAP expert and I could not find any documentation (authoritative or not) about the accepted values for this LDAP attribute, so I do not know who is at fault here. FWIW, the Debian wiki publicises 'host=*' as a valid entry in the "Allowing logins on a per-host basis" section at <http://wiki.debian.org/LDAP/PAM>. After having tested with `ldapsearch -x`, I ended up with (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\*))) However, this seems not to work and nlscd translates it as: myldap_search(base="dc=pca,dc=it", \ filter="(&(objectClass=posixAccount)(uid=$username)\ (|(host=$hostname)(host=*)))") As you can see, nslcd removes the escape and the correct results is obtained with a double escape in nslcd.conf: (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\\*))) I could not find any documentation about escaping in the pam_authz_search filter... 2) the variable $hostname contains the value of `hostname` and not the FQDN like with PADL's pam_ldap, thus a tricky filter must be used: (&(objectClass=posixAccount)(uid=$username)\ (|(host=$hostname)(host=$hostname.$DOMAIN)(!(host=*)))) Again, the major problem resides on the definition of the LDAP 'host' attribute, i.e. if FQDNs *must* be used or not. BTW, I was expecting any PAM-related output to be in /var/log/auth.log, until I realized that nslcd logs to /var/log/syslog. Thx, bye, Gismo / Luca -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36-rc6-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages nslcd depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy ii libc6 2.11.2-9 Embedded GNU C Library: Shared lib ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries Versions of packages nslcd recommends: ii libnss-ldapd [libnss-ldap] 0.7.13 NSS module for using LDAP as a nam ii libpam-ldapd [libpam-ldap] 0.7.13 PAM module for using LDAP as an au pn nscd <none> (no description available) Versions of packages nslcd suggests: pn kstart <none> (no description available) -- debconf information: nslcd/ldap-starttls: false nslcd/ldap-reqcert: * nslcd/ldap-uris: ldap://ldap.pca.it nslcd/ldap-binddn: * nslcd/ldap-base: dc=pca,dc=it
pgpV465TU9YHS.pgp
Description: PGP signature
