Bug 84376

Summary: glibc's nss_compat.so library fails to implement ldap functions
Product: [Retired] Red Hat Linux Reporter: Andy Grimm <andy.grimm>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: fweimer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-22 05:41:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andy Grimm 2003-02-15 02:11:25 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
It is impossible to use "compat" in nsswitch.conf to restrict access to a
machine using LDAP as its naming service.  The nss_compat.so library in Linux is
tied strictly to NIS/NIS+.

I realize that, since this will need hooks into openldap to work properly,
fixing this either requires you to split nss_compat into a separate package
(probably a good idea), or make glibc depend on openldap (probably not such a
good idea), but either way, it's something that really should be implemented. 
I'm willing to heavily test the code, but I don't have enough knowledge of the
ldap internals to write it myself.

I also sent a message to bug-glibc, but I have gotten no response about
it yet.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up a Linux machine as an LDAP client
2. Make sure the machine is NOT bound to a NIS/NIS+ domain
2. Set "passwd: compat" and "passwd_compat: ldap" in nsswitch.conf
3. add "+username" at the end of /etc/passwd for some user
4. try to log in as the user


Actual Results:  nss_compat tries to check for user's validity using NIS, not
LDAP, so the login fails.

Expected Results:  nss_compat needs to make calls to the LDAP library instead

Additional info:

I've checked the latest glibc source from GNU (2.3.1), and there has still not
been work done in this area.
Comment 1 Andy Grimm 2003-02-15 03:04:07 UTC 
*** Bug 84378 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2003-02-18 13:07:39 UTC 
Can you please expand on why you need to use nss_compat for ldap?
Why doesn't passwd: ldap work for you?
Comment 3 Andy Grimm 2003-02-18 19:03:08 UTC 
passwd: ldap works fine, but doesn't allow me to restrict access in the way that
I would like.  For example, if my development domain has a webserver (or
fileserver, nameserver, etc.) in it, and I only want administrators to have
login access, my current way to do this is with compat mode, an admin netgroup,
and a "+@admin" line at the bottom of the password file.  I think this is pretty
standard in the Solaris world.  This works fine with Linux under NIS or NIS+, so
I was surprised to find that it doesn't work for LDAP.  It essentially means
that I have to change to an "everybody or nobody" policy for LDAP-based user logins.
Unless you know of another comparable way to control this, I'd consider it a
security issue.
Comment 4 Ulrich Drepper 2003-04-22 05:41:44 UTC 
This is no bug.  nss_compat has one purpose only: to work with NIS and the old
format used in the passwd file.  There will never ever be a change as demanded
here in nss_compat.  But the nss module interface is documented.  Feel free to
write zour own nss module and use it.