Your message dated Sun, 06 Oct 2019 12:53:59 +0200
with message-id <[email protected]>
and subject line Re: Bug#740662: nslcd: missing escaping in
pam_check_service_attr example
has caused the Debian Bug report #740662,
regarding nslcd: missing escaping in pam_check_service_attr example
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
740662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nslcd
Version: 0.8.10-4
Severity: normal
File: /usr/share/man/man5/nslcd.conf.5.gz
Tags: patch
Usertags: fetons-linux.ch-authentication
Hi there,
this could be considered a follow-up for #610925 ;-)
I was adding LDAP authentication against services (i.e. PADL's
pam_ldap's pam_check_service_attr) using the example in nslcd.conf.5:
--8<---------------cut here---------------start------------->8---
pam_authz_search FILTER
For example, to check that the user has a proper
authorizedService value if the attribute is present (this almost
emulates the pam_check_service_attr option in PADL's pam_ldap):
(&(objectClass=posixAccount)(uid=$username)\
(|(authorizedService=$service)(!(authorizedService=*))))
--8<---------------cut here---------------end--------------->8---
However, the above allows authentication for users missing the attribute
and indeed the correct filter for `ldapsearch -x` seems to be...
(&(objectClass=posixAccount)(uid=$username)\
(|(authorizedService=$service)(!(authorizedService=\\*))))
...which translates to the following nslcd filter:
(&(objectClass=posixAccount)(uid=$username)\
(|(authorizedService=$service)(!(authorizedService=\\\\*))))
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nslcd depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u1
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1
ii libldap-2.4-2 2.4.31-1+nmu2
Versions of packages nslcd recommends:
ii bind9-host [host] 1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii host 1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii ldap-utils 2.4.31-1+nmu2
ii libnss-ldapd [libnss-ldap] 0.8.10-4
ii libpam-ldapd [libpam-ldap] 0.8.10-4
pn nscd <none>
Versions of packages nslcd suggests:
pn kstart <none>
-- debconf information:
nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: simple
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.fetons-linux.ch
nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: [REMOVED]
nslcd/ldap-sasl-authcid:
nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=fetons-linux,dc=ch
nslcd/ldap-sasl-authzid:
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Sun, 2014-05-04 at 20:34 +0200, Arthur de Jong wrote:
> The description in manual page could be a little clearer but the
> example should allow the authorisation to continue if no
> authorizedService attribute is present and only check the attribute
> if it is present.
Closing this bug report for now. If the problem still exists, feel free
to re-open it.
Thanks
--
-- arthur - [email protected] - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
--- End Message ---
