I brought up bug #552433 here earlier [0] and have been in contact with the security team about this but haven't had a definite answer from them whether they want (or don't want) to issue an advisory for this. I'm now convinced this is a security problem because it can result in wrong privileges to be assigned and in denial of service (see [1] for more information). Since I haven't heard back from the security team in a month (I've sent several pings) I guess it should go through proposed-updates. I have prepared a 0.6.7.2 version which can be found here: [2], [3]. The debdiff is attached (9 source files changed, 133 insertions and 151 deletions). I it OK to upload this to proposed-updates? [0] http://lists.debian.org/debian-release/2009/10/msg00242.html [1] http://arthurdejong.org/nss-pam-ldapd/news.html#20091122 [2] http://arthurdejong.org/viewvc/nss-pam-ldapd/nss-ldapd-0.6.7.2/ [3] http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd-0.6.7.2/ -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-ldapd-0.6.7.1/debian/changelog nss-ldapd-0.6.7.2/debian/changelog --- nss-ldapd-0.6.7.1/debian/changelog 2009-03-21 10:48:50.000000000 +0100 +++ nss-ldapd-0.6.7.2/debian/changelog 2009-11-07 12:04:10.000000000 +0100 @@ -1,6 +1,14 @@ -nss-ldapd (0.6.7.1) stable-security; urgency=high +nss-ldapd (0.6.7.2) stable-security; urgency=low * security upload + * perform case-sensitive filtering for group, netgroup, passwd, protocols, + rpc, services and shadow lookups (closes: #552433) + + -- Arthur de Jong <adejong@debian.org> Thu, 07 Nov 2009 12:00:00 +0100 + +nss-ldapd (0.6.7.1) stable-security; urgency=high + + * security upload (CVE-2009-1073) * fix the permissions of /etc/nss-ldapd.conf to not be world readable (file can be used to store LDAP password) (closes: #520476) diff -Nru nss-ldapd-0.6.7.1/nslcd/alias.c nss-ldapd-0.6.7.2/nslcd/alias.c --- nss-ldapd-0.6.7.1/nslcd/alias.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/alias.c 2009-11-05 21:34:55.000000000 +0100 @@ -92,34 +92,27 @@ static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias) { int32_t tmpint32,tmp2int32,tmp3int32; - const char *tmparr[2]; const char **names,**members; int i; /* get the name of the alias */ - if (reqalias!=NULL) + names=myldap_get_values(entry,attmap_alias_cn); + if ((names==NULL)||(names[0]==NULL)) { - names=tmparr; - names[0]=reqalias; - names[1]=NULL; - } - else - { - names=myldap_get_values(entry,attmap_alias_cn); - if ((names==NULL)||(names[0]==NULL)) - { - log_log(LOG_WARNING,"alias entry %s does not contain %s value", - myldap_get_dn(entry),attmap_alias_cn); - return 0; - } + log_log(LOG_WARNING,"alias entry %s does not contain %s value", + myldap_get_dn(entry),attmap_alias_cn); + return 0; } /* get the members of the alias */ members=myldap_get_values(entry,attmap_alias_rfc822MailMember); /* for each name, write an entry */ for (i=0;names[i]!=NULL;i++) { - WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); - WRITE_STRING(fp,names[i]); - WRITE_STRINGLIST(fp,members); + if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0)) + { + WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); + WRITE_STRING(fp,names[i]); + WRITE_STRINGLIST(fp,members); + } } return 0; } diff -Nru nss-ldapd-0.6.7.1/nslcd/ether.c nss-ldapd-0.6.7.2/nslcd/ether.c --- nss-ldapd-0.6.7.1/nslcd/ether.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/ether.c 2009-11-05 21:34:55.000000000 +0100 @@ -122,21 +122,12 @@ const char **names,**ethers; int i,j; /* get the name of the ether entry */ - if (reqname!=NULL) + names=myldap_get_values(entry,attmap_ether_cn); + if ((names==NULL)||(names[0]==NULL)) { - names=tmparr; - names[0]=reqname; - names[1]=NULL; - } - else - { - names=myldap_get_values(entry,attmap_ether_cn); - if ((names==NULL)||(names[0]==NULL)) - { - log_log(LOG_WARNING,"ether entry %s does not contain %s value", - myldap_get_dn(entry),attmap_ether_cn); - return 0; - } + log_log(LOG_WARNING,"ether entry %s does not contain %s value", + myldap_get_dn(entry),attmap_ether_cn); + return 0; } /* get the addresses */ if (reqether!=NULL) @@ -158,12 +149,13 @@ } /* write entries for all names and addresses */ for (i=0;names[i]!=NULL;i++) - for (j=0;ethers[j]!=NULL;j++) - { - WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); - WRITE_STRING(fp,names[i]); - WRITE_ETHER(fp,ethers[j]); - } + if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0)) + for (j=0;ethers[j]!=NULL;j++) + { + WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); + WRITE_STRING(fp,names[i]); + WRITE_ETHER(fp,ethers[j]); + } return 0; } diff -Nru nss-ldapd-0.6.7.1/nslcd/group.c nss-ldapd-0.6.7.2/nslcd/group.c --- nss-ldapd-0.6.7.1/nslcd/group.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/group.c 2009-11-05 21:34:55.000000000 +0100 @@ -143,7 +143,7 @@ static int do_write_group( TFILE *fp,MYLDAP_ENTRY *entry,const char **names,gid_t gids[],int numgids, - const char *passwd,SET *members) + const char *passwd,SET *members,const char *reqname) { int32_t tmpint32; int i,j; @@ -165,7 +165,7 @@ log_log(LOG_WARNING,"group entry %s contains invalid group name: \"%s\"", myldap_get_dn(entry),names[i]); } - else + else if ((reqname==NULL)||(strcmp(reqname,names[i])==0)) { for (j=0;j<numgids;j++) { @@ -227,7 +227,6 @@ const gid_t *reqgid,int wantmembers, MYLDAP_SESSION *session) { - const char *tmparr[2]; const char **names,**gidvalues; const char *passwd; SET *members; @@ -236,21 +235,12 @@ char *tmp; int rc; /* get group name (cn) */ - if (reqname!=NULL) + names=myldap_get_values(entry,attmap_group_cn); + if ((names==NULL)||(names[0]==NULL)) { - names=tmparr; - names[0]=reqname; - names[1]=NULL; - } - else - { - names=myldap_get_values(entry,attmap_group_cn); - if ((names==NULL)||(names[0]==NULL)) - { - log_log(LOG_WARNING,"group entry %s does not contain %s value", - myldap_get_dn(entry),attmap_group_cn); - return 0; - } + log_log(LOG_WARNING,"group entry %s does not contain %s value", + myldap_get_dn(entry),attmap_group_cn); + return 0; } /* get the group id(s) */ if (reqgid!=NULL) @@ -289,7 +279,7 @@ members=NULL; /* write entries (split to a separate function so we can ensure the call to free() below in case a write fails) */ - rc=do_write_group(fp,entry,names,gids,numgids,passwd,members); + rc=do_write_group(fp,entry,names,gids,numgids,passwd,members,reqname); /* free and return */ if (members!=NULL) set_free(members); diff -Nru nss-ldapd-0.6.7.1/nslcd/netgroup.c nss-ldapd-0.6.7.2/nslcd/netgroup.c --- nss-ldapd-0.6.7.1/nslcd/netgroup.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/netgroup.c 2009-11-05 21:34:55.000000000 +0100 @@ -198,12 +198,19 @@ if (write_netgroup_triple(fp,triple)) \ return -1; -static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry) +static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry, const char *reqname) { int32_t tmpint32; int i; + const char **names; const char **triples; const char **members; + /* get the netgroup name */ + names=myldap_get_values(entry,attmap_netgroup_cn); + for (i=0;(names[i]!=NULL)&&(strcmp(reqname,names[i])!=0);i++) + /* nothing here */ ; + if (names[i]==NULL) + return 0; /* the name was not found */ /* get the netgroup triples and member */ triples=myldap_get_values(entry,attmap_netgroup_nisNetgroupTriple); members=myldap_get_values(entry,attmap_netgroup_memberNisNetgroup); @@ -236,5 +243,5 @@ log_log(LOG_DEBUG,"nslcd_netgroup_byname(%s)",name);, NSLCD_ACTION_NETGROUP_BYNAME, mkfilter_netgroup_byname(name,filter,sizeof(filter)), - write_netgroup(fp,entry) + write_netgroup(fp,entry,name) ) diff -Nru nss-ldapd-0.6.7.1/nslcd/passwd.c nss-ldapd-0.6.7.2/nslcd/passwd.c --- nss-ldapd-0.6.7.1/nslcd/passwd.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/passwd.c 2009-11-05 21:34:55.000000000 +0100 @@ -275,7 +275,6 @@ const uid_t *requid) { int32_t tmpint32; - const char *tmparr[2]; const char **tmpvalues; char *tmp; const char **usernames; @@ -288,21 +287,12 @@ const char *shell; int i,j; /* get the usernames for this entry */ - if (requser!=NULL) + usernames=myldap_get_values(entry,attmap_passwd_uid); + if ((usernames==NULL)||(usernames[0]==NULL)) { - usernames=tmparr; - usernames[0]=requser; - usernames[1]=NULL; - } - else - { - usernames=myldap_get_values(entry,attmap_passwd_uid); - if ((usernames==NULL)||(usernames[0]==NULL)) - { - log_log(LOG_WARNING,"passwd entry %s does not contain %s value", - myldap_get_dn(entry),attmap_passwd_uid); - return 0; - } + log_log(LOG_WARNING,"passwd entry %s does not contain %s value", + myldap_get_dn(entry),attmap_passwd_uid); + return 0; } /* get the password for this entry */ if (myldap_has_objectclass(entry,"shadowAccount")) @@ -416,27 +406,28 @@ } /* write the entries */ for (i=0;usernames[i]!=NULL;i++) - { - if (!isvalidname(usernames[i])) - { - log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"", - myldap_get_dn(entry),usernames[i]); - } - else + if ((requser==NULL)||(strcmp(requser,usernames[i])==0)) { - for (j=0;j<numuids;j++) + if (!isvalidname(usernames[i])) { - WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); - WRITE_STRING(fp,usernames[i]); - WRITE_STRING(fp,passwd); - WRITE_TYPE(fp,uids[j],uid_t); - WRITE_TYPE(fp,gid,gid_t); - WRITE_STRING(fp,gecos); - WRITE_STRING(fp,homedir); - WRITE_STRING(fp,shell); + log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"", + myldap_get_dn(entry),usernames[i]); + } + else + { + for (j=0;j<numuids;j++) + { + WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); + WRITE_STRING(fp,usernames[i]); + WRITE_STRING(fp,passwd); + WRITE_TYPE(fp,uids[j],uid_t); + WRITE_TYPE(fp,gid,gid_t); + WRITE_STRING(fp,gecos); + WRITE_STRING(fp,homedir); + WRITE_STRING(fp,shell); + } } } - } return 0; } diff -Nru nss-ldapd-0.6.7.1/nslcd/protocol.c nss-ldapd-0.6.7.2/nslcd/protocol.c --- nss-ldapd-0.6.7.1/nslcd/protocol.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/protocol.c 2009-11-05 21:34:55.000000000 +0100 @@ -98,7 +98,7 @@ protocol_attrs[2]=NULL; } -static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry) +static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname) { int32_t tmpint32,tmp2int32,tmp3int32; const char *name; @@ -106,6 +106,7 @@ const char **protos; char *tmp; int proto; + int i; /* get the most canonical name */ name=myldap_get_rdn_value(entry,attmap_protocol_cn); /* get the other names for the protocol */ @@ -119,6 +120,14 @@ /* if the protocol name is not yet found, get the first entry */ if (name==NULL) name=aliases[0]; + /* check case of returned protocol entry */ + if ((reqname!=NULL)&&(strcmp(reqname,name)!=0)) + { + for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++) + /* nothing here */ ; + if (aliases[i]==NULL) + return 0; /* neither the name nor any of the aliases matched */ + } /* get the protocol number */ protos=myldap_get_values(entry,attmap_protocol_ipProtocolNumber); if ((protos==NULL)||(protos[0]==NULL)) @@ -155,7 +164,7 @@ log_log(LOG_DEBUG,"nslcd_protocol_byname(%s)",name);, NSLCD_ACTION_PROTOCOL_BYNAME, mkfilter_protocol_byname(name,filter,sizeof(filter)), - write_protocol(fp,entry) + write_protocol(fp,entry,name) ) NSLCD_HANDLE( @@ -166,7 +175,7 @@ log_log(LOG_DEBUG,"nslcd_protocol_bynumber(%d)",protocol);, NSLCD_ACTION_PROTOCOL_BYNUMBER, mkfilter_protocol_bynumber(protocol,filter,sizeof(filter)), - write_protocol(fp,entry) + write_protocol(fp,entry,NULL) ) NSLCD_HANDLE( @@ -176,5 +185,5 @@ log_log(LOG_DEBUG,"nslcd_protocol_all()");, NSLCD_ACTION_PROTOCOL_ALL, (filter=protocol_filter,0), - write_protocol(fp,entry) + write_protocol(fp,entry,NULL) ) diff -Nru nss-ldapd-0.6.7.1/nslcd/rpc.c nss-ldapd-0.6.7.2/nslcd/rpc.c --- nss-ldapd-0.6.7.1/nslcd/rpc.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/rpc.c 2009-11-05 21:34:55.000000000 +0100 @@ -99,7 +99,7 @@ } /* write a single rpc entry to the stream */ -static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry) +static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname) { int32_t tmpint32,tmp2int32,tmp3int32; const char *name; @@ -107,6 +107,7 @@ const char **numbers; char *tmp; int number; + int i; /* get the most canonical name */ name=myldap_get_rdn_value(entry,attmap_rpc_cn); /* get the other names for the rpc entries */ @@ -120,6 +121,14 @@ /* if the rpc name is not yet found, get the first entry */ if (name==NULL) name=aliases[0]; + /* check case of returned rpc entry */ + if ((reqname!=NULL)&&(strcmp(reqname,name)!=0)) + { + for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++) + /* nothing here */ ; + if (aliases[i]==NULL) + return 0; /* neither the name nor any of the aliases matched */ + } /* get the rpc number */ numbers=myldap_get_values(entry,attmap_rpc_oncRpcNumber); if ((numbers==NULL)||(numbers[0]==NULL)) @@ -156,7 +165,7 @@ log_log(LOG_DEBUG,"nslcd_rpc_byname(%s)",name);, NSLCD_ACTION_RPC_BYNAME, mkfilter_rpc_byname(name,filter,sizeof(filter)), - write_rpc(fp,entry) + write_rpc(fp,entry,name) ) NSLCD_HANDLE( @@ -167,7 +176,7 @@ log_log(LOG_DEBUG,"nslcd_rpc_bynumber(%d)",number);, NSLCD_ACTION_RPC_BYNUMBER, mkfilter_rpc_bynumber(number,filter,sizeof(filter)), - write_rpc(fp,entry) + write_rpc(fp,entry,NULL) ) NSLCD_HANDLE( @@ -177,5 +186,5 @@ log_log(LOG_DEBUG,"nslcd_rpc_all()");, NSLCD_ACTION_RPC_ALL, (filter=rpc_filter,0), - write_rpc(fp,entry) + write_rpc(fp,entry,NULL) ) diff -Nru nss-ldapd-0.6.7.1/nslcd/service.c nss-ldapd-0.6.7.2/nslcd/service.c --- nss-ldapd-0.6.7.1/nslcd/service.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/service.c 2009-11-05 21:34:55.000000000 +0100 @@ -125,14 +125,14 @@ service_attrs[3]=NULL; } -static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqprotocol) +static int write_service(TFILE *fp,MYLDAP_ENTRY *entry, + const char *reqname,const char *reqprotocol) { int32_t tmpint32,tmp2int32,tmp3int32; const char *name; const char **aliases; const char **ports; const char **protocols; - const char *tmparr[2]; char *tmp; int port; int i; @@ -149,6 +149,14 @@ /* if the service name is not yet found, get the first entry */ if (name==NULL) name=aliases[0]; + /* check case of returned servies entry */ + if ((reqname!=NULL)&&(strcmp(reqname,name)!=0)) + { + for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++) + /* nothing here */ ; + if (aliases[i]==NULL) + return 0; /* neither the name nor any of the aliases matched */ + } /* get the service number */ ports=myldap_get_values(entry,attmap_service_ipServicePort); if ((ports==NULL)||(ports[0]==NULL)) @@ -170,31 +178,23 @@ return 0; } /* get protocols */ - if ((reqprotocol!=NULL)&&(*reqprotocol!='\0')) - { - protocols=tmparr; - protocols[0]=reqprotocol; - protocols[1]=NULL; - } - else + protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol); + if ((protocols==NULL)||(protocols[0]==NULL)) { - protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol); - if ((protocols==NULL)||(protocols[0]==NULL)) - { - log_log(LOG_WARNING,"service entry %s does not contain %s value", - myldap_get_dn(entry),attmap_service_ipServiceProtocol); - return 0; - } + log_log(LOG_WARNING,"service entry %s does not contain %s value", + myldap_get_dn(entry),attmap_service_ipServiceProtocol); + return 0; } /* write the entries */ for (i=0;protocols[i]!=NULL;i++) - { - WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); - WRITE_STRING(fp,name); - WRITE_STRINGLIST_EXCEPT(fp,aliases,name); - WRITE_INT32(fp,port); - WRITE_STRING(fp,protocols[i]); - } + if ((reqprotocol==NULL)||(*reqprotocol=='\0')||(strcmp(reqprotocol,protocols[i])==0)) + { + WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); + WRITE_STRING(fp,name); + WRITE_STRINGLIST_EXCEPT(fp,aliases,name); + WRITE_INT32(fp,port); + WRITE_STRING(fp,protocols[i]); + } return 0; } @@ -208,7 +208,7 @@ log_log(LOG_DEBUG,"nslcd_service_byname(%s,%s)",name,protocol);, NSLCD_ACTION_SERVICE_BYNAME, mkfilter_service_byname(name,protocol,filter,sizeof(filter)), - write_service(fp,entry,protocol) + write_service(fp,entry,name,protocol) ) NSLCD_HANDLE( @@ -221,7 +221,7 @@ log_log(LOG_DEBUG,"nslcd_service_bynumber(%d,%s)",number,protocol);, NSLCD_ACTION_SERVICE_BYNUMBER, mkfilter_service_bynumber(number,protocol,filter,sizeof(filter)), - write_service(fp,entry,protocol) + write_service(fp,entry,NULL,protocol) ) NSLCD_HANDLE( @@ -231,5 +231,5 @@ log_log(LOG_DEBUG,"nslcd_service_all()");, NSLCD_ACTION_SERVICE_ALL, (filter=service_filter,0), - write_service(fp,entry,NULL) + write_service(fp,entry,NULL,NULL) ) diff -Nru nss-ldapd-0.6.7.1/nslcd/shadow.c nss-ldapd-0.6.7.2/nslcd/shadow.c --- nss-ldapd-0.6.7.1/nslcd/shadow.c 2009-03-21 09:40:45.000000000 +0100 +++ nss-ldapd-0.6.7.2/nslcd/shadow.c 2009-11-05 21:34:55.000000000 +0100 @@ -190,7 +190,6 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser) { int32_t tmpint32; - const char *tmparr[2]; const char **tmpvalues; char *tmp; const char **usernames; @@ -204,21 +203,12 @@ unsigned long flag; int i; /* get username */ - if (requser!=NULL) + usernames=myldap_get_values(entry,attmap_shadow_uid); + if ((usernames==NULL)||(usernames[0]==NULL)) { - usernames=tmparr; - usernames[0]=requser; - usernames[1]=NULL; - } - else - { - usernames=myldap_get_values(entry,attmap_shadow_uid); - if ((usernames==NULL)||(usernames[0]==NULL)) - { - log_log(LOG_WARNING,"passwd entry %s does not contain %s value", - myldap_get_dn(entry),attmap_shadow_uid); - return 0; - } + log_log(LOG_WARNING,"passwd entry %s does not contain %s value", + myldap_get_dn(entry),attmap_shadow_uid); + return 0; } /* get password */ passwd=get_userpassword(entry,attmap_shadow_userPassword); @@ -247,18 +237,19 @@ } /* write the entries */ for (i=0;usernames[i]!=NULL;i++) - { - WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); - WRITE_STRING(fp,usernames[i]); - WRITE_STRING(fp,passwd); - WRITE_INT32(fp,lastchangedate); - WRITE_INT32(fp,mindays); - WRITE_INT32(fp,maxdays); - WRITE_INT32(fp,warndays); - WRITE_INT32(fp,inactdays); - WRITE_INT32(fp,expiredate); - WRITE_INT32(fp,flag); - } + if ((requser==NULL)||(strcmp(requser,usernames[i])==0)) + { + WRITE_INT32(fp,NSLCD_RESULT_SUCCESS); + WRITE_STRING(fp,usernames[i]); + WRITE_STRING(fp,passwd); + WRITE_INT32(fp,lastchangedate); + WRITE_INT32(fp,mindays); + WRITE_INT32(fp,maxdays); + WRITE_INT32(fp,warndays); + WRITE_INT32(fp,inactdays); + WRITE_INT32(fp,expiredate); + WRITE_INT32(fp,flag); + } return 0; } diff -Nru nss-ldapd-0.6.7.1/README nss-ldapd-0.6.7.2/README --- nss-ldapd-0.6.7.1/README 2009-03-21 09:40:47.000000000 +0100 +++ nss-ldapd-0.6.7.2/README 2009-11-05 21:37:03.000000000 +0100 @@ -320,14 +320,25 @@ groups, as well as the memberOf attribute in posixAccount entries are unsupported. -MISC NOTES -========== +case sensitivity +---------------- Most values in the NSS databases are considered case-sensitive (e.g. the user -"Foo" is a different user from "foo"). Values in an LDAP database are however -case-insensitive. This may cause problems in some corner cases, especially -when nscd is used for caching. For example, when doing a lookup for the user -"Foo" the user "foo" will be returned if it exists in the database. +"Foo" is a different user from the user "foo"). Values in an LDAP database are +however cosidered case-insensitive. nss-ldapd tries to solve this problem by +adding an extra filtering layer and ensure that e.g. when looking for the user +"foo" it will not return a user "Foo" that is found in LDAP. + +For the group, netgroup, passwd, protocols, rpc, services and shadow maps the +matches will be checked case-sensitively and for aliases, ethers, hosts and +networks matches will be case-insensitive (this seems to be what Glibc is +doing currently with flat files). Only searching for groups by member the +username matching is done case-insensitive. Note that in all cases the +case-use in the LDAP directory is returned. + +Note however that having entries that only differ in case is a bad idea and +will likely get you in trouble. One example of such a problem is that the DN +uid=test,dc=example,dc=com is the same as uid=TEST,dc=example,dc=com. REPORTING BUGS
Attachment:
signature.asc
Description: This is a digitally signed message part