[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users
Scott Moser
smoser at canonical.com
Tue Apr 19 13:45:55 UTC 2011
sorry for mis-pasting.
OKUSERS=`awk -v vname=nss_initgroups_okusers '$1 == vname { v=$2 }; END { print v }' "${CONF}"`
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632
Title:
nssldap-update-ignoreusers needs to be configurable to ignore users
Status in “libnss-ldap” package in Ubuntu:
New
Bug description:
Binary package hint: libnss-ldap
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy libnss-ldap
libnss-ldap:
Installed: 264-2ubuntu2
Candidate: 264-2ubuntu2
Version table:
*** 264-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
261-2.1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages
Currently, nssldap-update-ignoreusers can only be configured to ignore
users over a certain numeric UID. It blindly includes all users less
than the configured UID. However, this breaks our setup. We have
some system users (namely www-data and www-priv) that are in groups in
LDAP. Thus, when you query the 'Subversion' group, you get back a
list that includes www-priv. However, if you try to query the groups
to which www-priv belongs, it fails to return the correct groups
because it ignores www-priv, thus breaking privileges because the
system then thinks www-priv is not in the Subversion group.
The only work around for now is to disable the run of nssldap-update-
ignoreusers.
I would work on a patch to facilitate configuring users to *not*
include in the ignore list if someone will commit to getting the patch
accepted: we don't really want to maintain our own branch of one file
in a package. :)
More information about the Ubuntu-sponsors
mailing list