Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 84376 - glibc's nss_compat.so library fails to implement ldap functions
glibc's nss_compat.so library fails to implement ldap functions
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
: Security
: 84378 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2003-02-14 21:11 EST by Andy Grimm
Modified: 2016-11-24 10:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-22 01:41:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andy Grimm 2003-02-14 21:11:25 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207

Description of problem:
It is impossible to use "compat" in nsswitch.conf to restrict access to a
machine using LDAP as its naming service.  The nss_compat.so library in Linux is
tied strictly to NIS/NIS+.

I realize that, since this will need hooks into openldap to work properly,
fixing this either requires you to split nss_compat into a separate package
(probably a good idea), or make glibc depend on openldap (probably not such a
good idea), but either way, it's something that really should be implemented. 
I'm willing to heavily test the code, but I don't have enough knowledge of the
ldap internals to write it myself.

I also sent a message to bug-glibc@gnu.org, but I have gotten no response about
it yet.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up a Linux machine as an LDAP client
2. Make sure the machine is NOT bound to a NIS/NIS+ domain
2. Set "passwd: compat" and "passwd_compat: ldap" in nsswitch.conf
3. add "+username" at the end of /etc/passwd for some user
4. try to log in as the user

Actual Results:  nss_compat tries to check for user's validity using NIS, not
LDAP, so the login fails.

Expected Results:  nss_compat needs to make calls to the LDAP library instead

Additional info:

I've checked the latest glibc source from GNU (2.3.1), and there has still not
been work done in this area.
Comment 1 Andy Grimm 2003-02-14 22:04:07 EST
*** Bug 84378 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2003-02-18 08:07:39 EST
Can you please expand on why you need to use nss_compat for ldap?
Why doesn't passwd: ldap work for you?
Comment 3 Andy Grimm 2003-02-18 14:03:08 EST
passwd: ldap works fine, but doesn't allow me to restrict access in the way that
I would like.  For example, if my development domain has a webserver (or
fileserver, nameserver, etc.) in it, and I only want administrators to have
login access, my current way to do this is with compat mode, an admin netgroup,
and a "+@admin" line at the bottom of the password file.  I think this is pretty
standard in the Solaris world.  This works fine with Linux under NIS or NIS+, so
I was surprised to find that it doesn't work for LDAP.  It essentially means
that I have to change to an "everybody or nobody" policy for LDAP-based user logins.
Unless you know of another comparable way to control this, I'd consider it a
security issue.  
Comment 4 Ulrich Drepper 2003-04-22 01:41:44 EDT
This is no bug.  nss_compat has one purpose only: to work with NIS and the old
format used in the passwd file.  There will never ever be a change as demanded
here in nss_compat.  But the nss module interface is documented.  Feel free to
write zour own nss module and use it.

Note You need to log in before you can comment on or make changes to this bug.