Package: libnss-ldapd
Version: 0.6.7.1
Severity: grave
Justification: causes non-serious data loss
Hello.
I've got a problem with libnss-ldpad package. In my environment, any
(non-root) local user can break normal work of any other user.
The problem is, nss-ldapd makes strange things with case of uids. For
example:
bash$ id
uid=NNN(sasha) gid=ZZZ(zzz) groups=...
bash$ id SasHa
uid=NNN(SasHa) gid=ZZZ(zzz) groups=...
bash$ id
uid=NNN(SasHa) gid=ZZZ(zzz) groups=...
bash$ id sasha
uid=NNN(SasHa) gid=ZZZ(zzz) groups=...
bash$ id
uid=NNN(SasHa) gid=ZZZ(zzz) groups=...
So, nss now thinks that I'm SasHa, not sasha. As a result, when I run
"ssh otherhost" it does not work (just because pam can't authorise
SasHa, it knows only sasha). In the same way, all other Kerberos
services stop working for me.
I see 2 problems here:
1. The only way to "revert" me from SasHa back to sasha is LONG timeout
or "nscd -i passwd" from root. Both ways may be unavailable.
2. ANY USER may call "id SasHa" on this machine, and the other user will
get his things broken.
Looking on changelog, I see this problem fixed in version 0.6.11:
Changes: This release fixes a couple of bugs in the username to group mapping
and a problem with too many uidNumber or uidNumber attributes in the LDAP
server. Name lookups are now also case-sensitive for group, netgroup, passwd,
protocols, RPC, services, and shadow maps.
I've tried libnss-ldapd=0.7.1 (sources from sid, compiled on lenny) and
it works perfectly. It will be nice to get this problem fixed in the
next stable update.
Thank you for your work,
Alexandra.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldapd depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
Versions of packages libnss-ldapd recommends:
ii libpam-ldap 184-4.2 Pluggable Authentication Module fo
ii nscd 2.7-18 GNU C Library: Name Service Cache
libnss-ldapd suggests no packages.
-- debconf information:
* libnss-ldapd/ldap-base: dc=oktetlabs,dc=ru
* libnss-ldapd/nsswitch: passwd, group, shadow
* libnss-ldapd/ldap-binddn:
* libnss-ldapd/ldap-uris: ldap://ldap.oktetlabs.ru/ ldap://ldaps.oktetlabs.ru/
libnss-ldapd/clean_nsswitch: false
--
Alexandra N. Kossovsky
OKTET Labs (http://www.oktetlabs.ru/)
Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office)
e-mail: [email protected]
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
