On Sat, Mar 29, 2008 at 12:04:39AM +0100, Arthur de Jong wrote: > tags 472872 + pending > thanks > > First of all to reply to your earlier mail, reporting bugs is fine for > me and makes it easy to track. > > On Thu, 2008-03-27 at 10:24 +1100, Alex Samad wrote: > > Seems like libnss-ldapd checks for object class by reading a > > ldapobject in and then checking the objectclass attribute for a > > specific record. On my ldap setup I do not allow for objectclass to be > > read by any user, you can search. This causes this error to appear in > > my syslog numerious times. > > > > The code is in > > myldap_has_objectclass in myldap.c > > The reason that nss-ldapd does a lookup for the objectClass for each > user entry is to not return a password information if it is of type > shadowAccount (it tries to return it with shadow instead). yep understood that. > > In any case exposing password hashes through NSS is a bad idea and not > really needed for anything with pam_ldap. > > Anyway, I've removed the warning message in svn and it shouldn't fill up > your logs with the next release. (the warning message did not really add > much to the functionality) > > > I would presume a change to doing a ldapsearch and tresting for a > > positive result would be the solution (and I presume this is a lot > > more expensive than checking the attributes array) > > That would be a solution but not something I would want to implement. If > it were some sort of search already I could add it but since this is an > attribute lookup like any other. shouldn't be that hard to do, from my limit knowledge of looking at the code, I guess at that point you already have the dn, it should be a simple as search for (&(dn=<cached dn>)(objectclass=<value you are looking for>)), if you get back 1 object (or more ??) then true else false > > By the way, is there any specific reason why you don't want to allow > lookups of objectClass of any entries? gives you access to which groups are available, for example you could find out all the different group names that are available
> > -- > -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- -- "I have said that the sanction regime is like Swiss cheese -- that meant that they weren't very effective." - George W. Bush 02/22/2001 during a White House press conference
signature.asc
Description: Digital signature
