Bug 84376 - glibc's nss_compat.so library fails to implement ldap functions
Summary: glibc's nss_compat.so library fails to implement ldap functions
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
(Show other bugs)
Version: 7.3
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords: Security
: 84378 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-15 02:11 UTC by Andy Grimm
Modified: 2016-11-24 15:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-22 05:41:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andy Grimm 2003-02-15 02:11:25 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
It is impossible to use "compat" in nsswitch.conf to restrict access to a
machine using LDAP as its naming service.  The nss_compat.so library in Linux is
tied strictly to NIS/NIS+.

I realize that, since this will need hooks into openldap to work properly,
fixing this either requires you to split nss_compat into a separate package
(probably a good idea), or make glibc depend on openldap (probably not such a
good idea), but either way, it's something that really should be implemented. 
I'm willing to heavily test the code, but I don't have enough knowledge of the
ldap internals to write it myself.

I also sent a message to bug-glibc@gnu.org, but I have gotten no response about
it yet.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up a Linux machine as an LDAP client
2. Make sure the machine is NOT bound to a NIS/NIS+ domain
2. Set "passwd: compat" and "passwd_compat: ldap" in nsswitch.conf
3. add "+username" at the end of /etc/passwd for some user
4. try to log in as the user


Actual Results:  nss_compat tries to check for user's validity using NIS, not
LDAP, so the login fails.

Expected Results:  nss_compat needs to make calls to the LDAP library instead

Additional info:

I've checked the latest glibc source from GNU (2.3.1), and there has still not
been work done in this area.
Comment 1 Andy Grimm 2003-02-15 03:04:07 UTC 
*** Bug 84378 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2003-02-18 13:07:39 UTC 
Can you please expand on why you need to use nss_compat for ldap?
Why doesn't passwd: ldap work for you?
Comment 3 Andy Grimm 2003-02-18 19:03:08 UTC 
passwd: ldap works fine, but doesn't allow me to restrict access in the way that
I would like.  For example, if my development domain has a webserver (or
fileserver, nameserver, etc.) in it, and I only want administrators to have
login access, my current way to do this is with compat mode, an admin netgroup,
and a "+@admin" line at the bottom of the password file.  I think this is pretty
standard in the Solaris world.  This works fine with Linux under NIS or NIS+, so
I was surprised to find that it doesn't work for LDAP.  It essentially means
that I have to change to an "everybody or nobody" policy for LDAP-based user logins.
Unless you know of another comparable way to control this, I'd consider it a
security issue.
Comment 4 Ulrich Drepper 2003-04-22 05:41:44 UTC 
This is no bug.  nss_compat has one purpose only: to work with NIS and the old
format used in the passwd file.  There will never ever be a change as demanded
here in nss_compat.  But the nss module interface is documented.  Feel free to
write zour own nss module and use it.
Note You need to log in before you can comment on or make changes to this bug.