[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users
Jamie Strandboge
jamie at ubuntu.com
Tue Apr 19 13:24:06 UTC 2011
TEST CASE (based on comment #84 from bug #155947):
1. apt-get install ldap-auth-client # pulls in libnss-ldap
2. configure ldap to use (via debconf):
ldap://127.0.0.1/
root requires a password: 'no'
everything else defaults
3. verify on fresh install nss_initgroups_ignoreusers is not present:
$ cat /etc/ldap.conf |grep "^nss" || echo "ok"
ok
4. run /etc/init.d/libnss-ldap stop and verify it populated ldap.conf
$ sudo /etc/init.d/libnss-ldap stop
* Running nssldap-update-ignoreusers... [ OK ]
$ cat /etc/ldap.conf |grep "^nss"
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
5. add to /etc/ldap.conf the following:
nss_initgroups_okusers uucp,www-data
6. run /etc/init.d/libnss-ldap stop and verify it updated ldap.conf correctly:
$ sudo /etc/init.d/libnss-ldap stop
* Running nssldap-update-ignoreusers... [ OK ]
$ cat /etc/ldap.conf |grep "^nss"
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux
The groups listed were in a VM with ubuntu-desktop installed on Lucid.
To properly test this, the groups listed in step '5' should be compared
with the old libnss-ldap and the proposed libnss-ldap to make sure that
the groups are the same.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632
Title:
nssldap-update-ignoreusers needs to be configurable to ignore users
Status in “libnss-ldap” package in Ubuntu:
New
Bug description:
Binary package hint: libnss-ldap
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy libnss-ldap
libnss-ldap:
Installed: 264-2ubuntu2
Candidate: 264-2ubuntu2
Version table:
*** 264-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
261-2.1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages
Currently, nssldap-update-ignoreusers can only be configured to ignore
users over a certain numeric UID. It blindly includes all users less
than the configured UID. However, this breaks our setup. We have
some system users (namely www-data and www-priv) that are in groups in
LDAP. Thus, when you query the 'Subversion' group, you get back a
list that includes www-priv. However, if you try to query the groups
to which www-priv belongs, it fails to return the correct groups
because it ignores www-priv, thus breaking privileges because the
system then thinks www-priv is not in the Subversion group.
The only work around for now is to disable the run of nssldap-update-
ignoreusers.
I would work on a patch to facilitate configuring users to *not*
include in the ignore list if someone will commit to getting the patch
accepted: we don't really want to maintain our own branch of one file
in a package. :)
More information about the Ubuntu-sponsors
mailing list