[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users
Jamie Strandboge
jamie at ubuntu.com
Tue Apr 19 13:26:27 UTC 2011
Based on the above test case, NAK on the current patch. It has a
trailing ')' in the OKUSERS line, does not output the correct
'nss_initgroups_ignoreusers' line (ie, uucp and www-data are still
listed) and the man page has not been updated.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632
Title:
nssldap-update-ignoreusers needs to be configurable to ignore users
Status in “libnss-ldap” package in Ubuntu:
New
Bug description:
Binary package hint: libnss-ldap
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy libnss-ldap
libnss-ldap:
Installed: 264-2ubuntu2
Candidate: 264-2ubuntu2
Version table:
*** 264-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
261-2.1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages
Currently, nssldap-update-ignoreusers can only be configured to ignore
users over a certain numeric UID. It blindly includes all users less
than the configured UID. However, this breaks our setup. We have
some system users (namely www-data and www-priv) that are in groups in
LDAP. Thus, when you query the 'Subversion' group, you get back a
list that includes www-priv. However, if you try to query the groups
to which www-priv belongs, it fails to return the correct groups
because it ignores www-priv, thus breaking privileges because the
system then thinks www-priv is not in the Subversion group.
The only work around for now is to disable the run of nssldap-update-
ignoreusers.
I would work on a patch to facilitate configuring users to *not*
include in the ignore list if someone will commit to getting the patch
accepted: we don't really want to maintain our own branch of one file
in a package. :)
More information about the Ubuntu-sponsors
mailing list