[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users

Fri Apr 15 20:16:39 UTC 2011

Joshua,
  I've looked at your patch.  It took a while for me to fully understand what we have working in libnss-ldap to implement 'nss_initgroups_minimum_uid'.

  I have the following comments:
* The concept and implementation seem like it is fine to me (I've only reviewed, not tested, though).
* OKUSERS=`grep "^nss_initgroups_okusers " $CONF | tail -n 1 | awk '{print $2}')`
is better (faster) written as:
   $1 == "nss_initgroups_okusers" { v=$2 }; END { print v }'
  I realize you just copied the format of 'MIN=', but both could be improved.
* You should update the man page nssldap-update-ignoreusers.8 as you're adding function there. we'd like it to be documented.
* It would be best if you created a debdiff (or bzr merge proposal),.  that would reduce the work for someone to pick this up.

Note:
it seems that upstream at least still has an interest in nss_initgroups_minimum_uid (http://bugzilla.padl.com/show_bug.cgi?id=341).  If we add 'nss_initgroups_okusers', via the same mechanism we're using for minimum_uid, we would need to then address merging the native support for that with our workaround.  That would possibly be a bit more hairy if we also had to address nss_initgroups_okusers.

** Bug watch added: PADL Bugzilla #341
   http://bugzilla.padl.com/show_bug.cgi?id=341

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632

Title:
  nssldap-update-ignoreusers needs to be configurable to ignore users

Status in “libnss-ldap” package in Ubuntu:
  New

Bug description:
  Binary package hint: libnss-ldap

  # lsb_release -rd
  Description:    Ubuntu 10.04.1 LTS
  Release:        10.04

  # apt-cache policy libnss-ldap
  libnss-ldap:
    Installed: 264-2ubuntu2
    Candidate: 264-2ubuntu2
    Version table:
   *** 264-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
       261-2.1ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages

  Currently, nssldap-update-ignoreusers can only be configured to ignore
  users over a certain numeric UID.  It blindly includes all users less
  than the configured UID.  However, this breaks our setup.  We have
  some system users (namely www-data and www-priv) that are in groups in
  LDAP.  Thus, when you query the 'Subversion' group, you get back a
  list that includes www-priv.  However, if you try to query the groups
  to which www-priv belongs, it fails to return the correct groups
  because it ignores www-priv, thus breaking privileges because the
  system then thinks www-priv is not in the Subversion group.

  The only work around for now is to disable the run of nssldap-update-
  ignoreusers.

  I would work on a patch to facilitate configuring users to *not*
  include in the ignore list if someone will commit to getting the patch
  accepted: we don't really want to maintain our own branch of one file
  in a package. :)