On Tue, 2016-05-24 at 03:27 -0400, Daniel Richard G. wrote: > I am seeing relatively frequent entries of this form in syslog: > > May 24 03:04:23 darkstar nslcd[1187]: [3c9869] request denied by > validnames option > > While I am uncertain as to what causes this, at one point it appeared > to be associated with tab completion at a shell prompt. (At the same > time, however, I can't reproduce this reliably that way.)
I'm not really sure what triggers it but I also see this in the logs a lot. I just ignore it. It could be that nscd makes it more difficult to trigger because it sometimes also caches negative hits. Furthermore, the application may be caching it. > I claim ignorance as to why this request occurs (is this really > supposed to return a list of all users?) No, I'm pretty sure it is some sort of lookup that is meant to return nu users at all or a misconfiguration somewhere. > But given that this request comes up fairly often, and does not > appear to be the result of a misconfiguration, it would be helpful to > have a way of keeping this noise out of the log. The "*" request > could be specifically ignored, while continuing to log other > instances of failed validnames matching. To not report it as an invalid name you could set validnames to /^[a-z0-9._@$()*]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i but that is a bit ugly and it results in a useless LDAP search each time. > (Incidentally, "nss_disable_enumeration yes" does not address this.) No. The "*" lookup is just to look up a user with that name. The function call can also return only one passwd entry so it is not meant to be a wildcard. As such it is not covered by nss_disable_enumeration. Not sure this will be fixed in nss-pam-ldapd any time soon. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part