On Mon, 2009-10-26 at 11:28 +0300, Alexandra N. Kossovsky wrote: > I've got a problem with libnss-ldpad package. In my environment, any > (non-root) local user can break normal work of any other user. > > The problem is, nss-ldapd makes strange things with case of uids. For > example: > bash$ id > uid=NNN(sasha) gid=ZZZ(zzz) groups=... > bash$ id SasHa > uid=NNN(SasHa) gid=ZZZ(zzz) groups=... > bash$ id > uid=NNN(SasHa) gid=ZZZ(zzz) groups=... > bash$ id sasha > uid=NNN(SasHa) gid=ZZZ(zzz) groups=... > bash$ id > uid=NNN(SasHa) gid=ZZZ(zzz) groups=... > > So, nss now thinks that I'm SasHa, not sasha. As a result, when I run > "ssh otherhost" it does not work (just because pam can't authorise > SasHa, it knows only sasha). In the same way, all other Kerberos > services stop working for me.
The problem is actually more in nscd in that it does not handle cases elegantly where username -> uid lookups result in the same uid for different usernames (it caches information from the forward lookup for the reverse lookup). Btw, the same issue is also in nss_ldap and in probably more naming services that are case-insensitive. > Looking on changelog, I see this problem fixed in version 0.6.11: > Changes: This release fixes a couple of bugs in the username to group > mapping and a problem with too many uidNumber or uidNumber attributes > in the LDAP server. Name lookups are now also case-sensitive for > group, netgroup, passwd, protocols, RPC, services, and shadow maps. > > I've tried libnss-ldapd=0.7.1 (sources from sid, compiled on lenny) and > it works perfectly. It will be nice to get this problem fixed in the > next stable update. The change can be found here: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=934 but I haven't yet checked whether it can be applied to 0.6.7 cleanly. I don't think I've seen any regressions due to that change (I'll have to check more thoroughly though). I will ask the stable release team their opinion on whether this qualifies for an update in a point release. Thanks for using nss-ldapd. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part