[Bug 644632] [NEW] nssldap-update-ignoreusers needs to be configurable to ignore users
Joshua Kugler
joshua at joshuakugler.com
Tue Sep 21 20:08:01 BST 2010
Public bug reported:
Binary package hint: libnss-ldap
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy libnss-ldap
libnss-ldap:
Installed: 264-2ubuntu2
Candidate: 264-2ubuntu2
Version table:
*** 264-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
261-2.1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages
Currently, nssldap-update-ignoreusers can only be configured to ignore
users over a certain numeric UID. It blindly includes all users less
than the configured UID. However, this breaks our setup. We have some
system users (namely www-data and www-priv) that are in groups in LDAP.
Thus, when you query the 'Subversion' group, you get back a list that
includes www-priv. However, if you try to query the groups to which
www-priv belongs, it fails to return the correct groups because it
ignores www-priv, thus breaking privileges because the system then
thinks www-priv is not in the Subversion group.
The only work around for now is to disable the run of nssldap-update-
ignoreusers.
I would work on a patch to facilitate configuring users to *not* include
in the ignore list if someone will commit to getting the patch accepted:
we don't really want to maintain our own branch of one file in a
package. :)
** Affects: libnss-ldap (Ubuntu)
Importance: Undecided
Status: New
** Tags: ldap libnss lucid
--
nssldap-update-ignoreusers needs to be configurable to ignore users
https://bugs.launchpad.net/bugs/644632
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list