--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: finger-ldap does not handle multiple nss_base_passwd options
- From: Patrick Coleman <pcoleman@iinet.net.au>
- Date: Sat, 15 Jul 2006 14:55:46 +0800
- Message-id: <44B89172.4030602@iinet.net.au>
Package: finger-ldap
Version: 1.3-1
The libnss-ldap.conf configuration file can contain multiple nss_base_passwd options - finger-ldap
however only reads the last one.
Example config file:
base dc=example,dc=com
binddn cn=admin,dc=example,dc=com
rootbinddn cn=admin,dc=example,dc=com
idle_timelimit 3600
pam_login_attribute uid
pam_check_host_attr no
pam_password exop
nss_base_passwd ou=systemusers,dc=example,dc=com?one
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=systemusers,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group ou=groups,dc=example,dc=com?one
In this case, finger-ldap only uses ou=users,dc=example,dc=com.
This feature is documented in the nss_ldap(5) manpage that ships with package libnss-ldap/251-1:
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used for specific maps. (Note that map
forms part of the configuration file keyword and is one of passwd, shadow, group, hosts, services,
networks, protocols, rpc, ethers, netmasks, bootparams, aliases and netgroup.) The syntax of basedn
and scope are the same as for the configuration file options of the same name, with the addition
of being able to omit the trailing suffix of the base DN (in which case the global base DN
will be appended instead). The filter is a search filter to be added to the default search filter
for a specific map, such that the effective filter is the logical intersection of the two. The base
DN, scope and filter are separated with literal question marks (?) as given above; this is for
compatibility with the DUA configuration profile schema and the ldapprofile tool. This option may be
specified multiple times.
I am using finger-ldap/1.1-2 (stable), but the code indicates that the problem also exists in
finger-ldap/1.3-1 (testing/unstable).
Cheers,
Patrick
--- End Message ---