I brought up bug #552433 here earlier [0] and have been in contact with the security team about this but haven't had a definite answer from them whether they want (or don't want) to issue an advisory for this. I'm now convinced this is a security problem because it can result in wrong privileges to be assigned and in denial of service (see [1] for more information). Since I haven't heard back from the security team in a month (I've sent several pings) I guess it should go through proposed-updates. I have prepared a 0.6.7.2 version which can be found here: [2], [3]. The debdiff is attached (9 source files changed, 133 insertions and 151 deletions). I it OK to upload this to proposed-updates? [0] http://lists.debian.org/debian-release/2009/10/msg00242.html [1] http://arthurdejong.org/nss-pam-ldapd/news.html#20091122 [2] http://arthurdejong.org/viewvc/nss-pam-ldapd/nss-ldapd-0.6.7.2/ [3] http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd-0.6.7.2/ -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-ldapd-0.6.7.1/debian/changelog nss-ldapd-0.6.7.2/debian/changelog
--- nss-ldapd-0.6.7.1/debian/changelog 2009-03-21 10:48:50.000000000 +0100
+++ nss-ldapd-0.6.7.2/debian/changelog 2009-11-07 12:04:10.000000000 +0100
@@ -1,6 +1,14 @@
-nss-ldapd (0.6.7.1) stable-security; urgency=high
+nss-ldapd (0.6.7.2) stable-security; urgency=low
* security upload
+ * perform case-sensitive filtering for group, netgroup, passwd, protocols,
+ rpc, services and shadow lookups (closes: #552433)
+
+ -- Arthur de Jong <adejong@debian.org> Thu, 07 Nov 2009 12:00:00 +0100
+
+nss-ldapd (0.6.7.1) stable-security; urgency=high
+
+ * security upload (CVE-2009-1073)
* fix the permissions of /etc/nss-ldapd.conf to not be world readable
(file can be used to store LDAP password) (closes: #520476)
diff -Nru nss-ldapd-0.6.7.1/nslcd/alias.c nss-ldapd-0.6.7.2/nslcd/alias.c
--- nss-ldapd-0.6.7.1/nslcd/alias.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/alias.c 2009-11-05 21:34:55.000000000 +0100
@@ -92,34 +92,27 @@
static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias)
{
int32_t tmpint32,tmp2int32,tmp3int32;
- const char *tmparr[2];
const char **names,**members;
int i;
/* get the name of the alias */
- if (reqalias!=NULL)
+ names=myldap_get_values(entry,attmap_alias_cn);
+ if ((names==NULL)||(names[0]==NULL))
{
- names=tmparr;
- names[0]=reqalias;
- names[1]=NULL;
- }
- else
- {
- names=myldap_get_values(entry,attmap_alias_cn);
- if ((names==NULL)||(names[0]==NULL))
- {
- log_log(LOG_WARNING,"alias entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_alias_cn);
- return 0;
- }
+ log_log(LOG_WARNING,"alias entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_alias_cn);
+ return 0;
}
/* get the members of the alias */
members=myldap_get_values(entry,attmap_alias_rfc822MailMember);
/* for each name, write an entry */
for (i=0;names[i]!=NULL;i++)
{
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,names[i]);
- WRITE_STRINGLIST(fp,members);
+ if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0))
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,names[i]);
+ WRITE_STRINGLIST(fp,members);
+ }
}
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/nslcd/ether.c nss-ldapd-0.6.7.2/nslcd/ether.c
--- nss-ldapd-0.6.7.1/nslcd/ether.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/ether.c 2009-11-05 21:34:55.000000000 +0100
@@ -122,21 +122,12 @@
const char **names,**ethers;
int i,j;
/* get the name of the ether entry */
- if (reqname!=NULL)
+ names=myldap_get_values(entry,attmap_ether_cn);
+ if ((names==NULL)||(names[0]==NULL))
{
- names=tmparr;
- names[0]=reqname;
- names[1]=NULL;
- }
- else
- {
- names=myldap_get_values(entry,attmap_ether_cn);
- if ((names==NULL)||(names[0]==NULL))
- {
- log_log(LOG_WARNING,"ether entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_ether_cn);
- return 0;
- }
+ log_log(LOG_WARNING,"ether entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_ether_cn);
+ return 0;
}
/* get the addresses */
if (reqether!=NULL)
@@ -158,12 +149,13 @@
}
/* write entries for all names and addresses */
for (i=0;names[i]!=NULL;i++)
- for (j=0;ethers[j]!=NULL;j++)
- {
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,names[i]);
- WRITE_ETHER(fp,ethers[j]);
- }
+ if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))
+ for (j=0;ethers[j]!=NULL;j++)
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,names[i]);
+ WRITE_ETHER(fp,ethers[j]);
+ }
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/nslcd/group.c nss-ldapd-0.6.7.2/nslcd/group.c
--- nss-ldapd-0.6.7.1/nslcd/group.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/group.c 2009-11-05 21:34:55.000000000 +0100
@@ -143,7 +143,7 @@
static int do_write_group(
TFILE *fp,MYLDAP_ENTRY *entry,const char **names,gid_t gids[],int numgids,
- const char *passwd,SET *members)
+ const char *passwd,SET *members,const char *reqname)
{
int32_t tmpint32;
int i,j;
@@ -165,7 +165,7 @@
log_log(LOG_WARNING,"group entry %s contains invalid group name: \"%s\"",
myldap_get_dn(entry),names[i]);
}
- else
+ else if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
{
for (j=0;j<numgids;j++)
{
@@ -227,7 +227,6 @@
const gid_t *reqgid,int wantmembers,
MYLDAP_SESSION *session)
{
- const char *tmparr[2];
const char **names,**gidvalues;
const char *passwd;
SET *members;
@@ -236,21 +235,12 @@
char *tmp;
int rc;
/* get group name (cn) */
- if (reqname!=NULL)
+ names=myldap_get_values(entry,attmap_group_cn);
+ if ((names==NULL)||(names[0]==NULL))
{
- names=tmparr;
- names[0]=reqname;
- names[1]=NULL;
- }
- else
- {
- names=myldap_get_values(entry,attmap_group_cn);
- if ((names==NULL)||(names[0]==NULL))
- {
- log_log(LOG_WARNING,"group entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_group_cn);
- return 0;
- }
+ log_log(LOG_WARNING,"group entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_group_cn);
+ return 0;
}
/* get the group id(s) */
if (reqgid!=NULL)
@@ -289,7 +279,7 @@
members=NULL;
/* write entries (split to a separate function so we can ensure the call
to free() below in case a write fails) */
- rc=do_write_group(fp,entry,names,gids,numgids,passwd,members);
+ rc=do_write_group(fp,entry,names,gids,numgids,passwd,members,reqname);
/* free and return */
if (members!=NULL)
set_free(members);
diff -Nru nss-ldapd-0.6.7.1/nslcd/netgroup.c nss-ldapd-0.6.7.2/nslcd/netgroup.c
--- nss-ldapd-0.6.7.1/nslcd/netgroup.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/netgroup.c 2009-11-05 21:34:55.000000000 +0100
@@ -198,12 +198,19 @@
if (write_netgroup_triple(fp,triple)) \
return -1;
-static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry, const char *reqname)
{
int32_t tmpint32;
int i;
+ const char **names;
const char **triples;
const char **members;
+ /* get the netgroup name */
+ names=myldap_get_values(entry,attmap_netgroup_cn);
+ for (i=0;(names[i]!=NULL)&&(strcmp(reqname,names[i])!=0);i++)
+ /* nothing here */ ;
+ if (names[i]==NULL)
+ return 0; /* the name was not found */
/* get the netgroup triples and member */
triples=myldap_get_values(entry,attmap_netgroup_nisNetgroupTriple);
members=myldap_get_values(entry,attmap_netgroup_memberNisNetgroup);
@@ -236,5 +243,5 @@
log_log(LOG_DEBUG,"nslcd_netgroup_byname(%s)",name);,
NSLCD_ACTION_NETGROUP_BYNAME,
mkfilter_netgroup_byname(name,filter,sizeof(filter)),
- write_netgroup(fp,entry)
+ write_netgroup(fp,entry,name)
)
diff -Nru nss-ldapd-0.6.7.1/nslcd/passwd.c nss-ldapd-0.6.7.2/nslcd/passwd.c
--- nss-ldapd-0.6.7.1/nslcd/passwd.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/passwd.c 2009-11-05 21:34:55.000000000 +0100
@@ -275,7 +275,6 @@
const uid_t *requid)
{
int32_t tmpint32;
- const char *tmparr[2];
const char **tmpvalues;
char *tmp;
const char **usernames;
@@ -288,21 +287,12 @@
const char *shell;
int i,j;
/* get the usernames for this entry */
- if (requser!=NULL)
+ usernames=myldap_get_values(entry,attmap_passwd_uid);
+ if ((usernames==NULL)||(usernames[0]==NULL))
{
- usernames=tmparr;
- usernames[0]=requser;
- usernames[1]=NULL;
- }
- else
- {
- usernames=myldap_get_values(entry,attmap_passwd_uid);
- if ((usernames==NULL)||(usernames[0]==NULL))
- {
- log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_passwd_uid);
- return 0;
- }
+ log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_passwd_uid);
+ return 0;
}
/* get the password for this entry */
if (myldap_has_objectclass(entry,"shadowAccount"))
@@ -416,27 +406,28 @@
}
/* write the entries */
for (i=0;usernames[i]!=NULL;i++)
- {
- if (!isvalidname(usernames[i]))
- {
- log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"",
- myldap_get_dn(entry),usernames[i]);
- }
- else
+ if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
{
- for (j=0;j<numuids;j++)
+ if (!isvalidname(usernames[i]))
{
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,usernames[i]);
- WRITE_STRING(fp,passwd);
- WRITE_TYPE(fp,uids[j],uid_t);
- WRITE_TYPE(fp,gid,gid_t);
- WRITE_STRING(fp,gecos);
- WRITE_STRING(fp,homedir);
- WRITE_STRING(fp,shell);
+ log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"",
+ myldap_get_dn(entry),usernames[i]);
+ }
+ else
+ {
+ for (j=0;j<numuids;j++)
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,usernames[i]);
+ WRITE_STRING(fp,passwd);
+ WRITE_TYPE(fp,uids[j],uid_t);
+ WRITE_TYPE(fp,gid,gid_t);
+ WRITE_STRING(fp,gecos);
+ WRITE_STRING(fp,homedir);
+ WRITE_STRING(fp,shell);
+ }
}
}
- }
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/nslcd/protocol.c nss-ldapd-0.6.7.2/nslcd/protocol.c
--- nss-ldapd-0.6.7.1/nslcd/protocol.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/protocol.c 2009-11-05 21:34:55.000000000 +0100
@@ -98,7 +98,7 @@
protocol_attrs[2]=NULL;
}
-static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
{
int32_t tmpint32,tmp2int32,tmp3int32;
const char *name;
@@ -106,6 +106,7 @@
const char **protos;
char *tmp;
int proto;
+ int i;
/* get the most canonical name */
name=myldap_get_rdn_value(entry,attmap_protocol_cn);
/* get the other names for the protocol */
@@ -119,6 +120,14 @@
/* if the protocol name is not yet found, get the first entry */
if (name==NULL)
name=aliases[0];
+ /* check case of returned protocol entry */
+ if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+ {
+ for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+ /* nothing here */ ;
+ if (aliases[i]==NULL)
+ return 0; /* neither the name nor any of the aliases matched */
+ }
/* get the protocol number */
protos=myldap_get_values(entry,attmap_protocol_ipProtocolNumber);
if ((protos==NULL)||(protos[0]==NULL))
@@ -155,7 +164,7 @@
log_log(LOG_DEBUG,"nslcd_protocol_byname(%s)",name);,
NSLCD_ACTION_PROTOCOL_BYNAME,
mkfilter_protocol_byname(name,filter,sizeof(filter)),
- write_protocol(fp,entry)
+ write_protocol(fp,entry,name)
)
NSLCD_HANDLE(
@@ -166,7 +175,7 @@
log_log(LOG_DEBUG,"nslcd_protocol_bynumber(%d)",protocol);,
NSLCD_ACTION_PROTOCOL_BYNUMBER,
mkfilter_protocol_bynumber(protocol,filter,sizeof(filter)),
- write_protocol(fp,entry)
+ write_protocol(fp,entry,NULL)
)
NSLCD_HANDLE(
@@ -176,5 +185,5 @@
log_log(LOG_DEBUG,"nslcd_protocol_all()");,
NSLCD_ACTION_PROTOCOL_ALL,
(filter=protocol_filter,0),
- write_protocol(fp,entry)
+ write_protocol(fp,entry,NULL)
)
diff -Nru nss-ldapd-0.6.7.1/nslcd/rpc.c nss-ldapd-0.6.7.2/nslcd/rpc.c
--- nss-ldapd-0.6.7.1/nslcd/rpc.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/rpc.c 2009-11-05 21:34:55.000000000 +0100
@@ -99,7 +99,7 @@
}
/* write a single rpc entry to the stream */
-static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
{
int32_t tmpint32,tmp2int32,tmp3int32;
const char *name;
@@ -107,6 +107,7 @@
const char **numbers;
char *tmp;
int number;
+ int i;
/* get the most canonical name */
name=myldap_get_rdn_value(entry,attmap_rpc_cn);
/* get the other names for the rpc entries */
@@ -120,6 +121,14 @@
/* if the rpc name is not yet found, get the first entry */
if (name==NULL)
name=aliases[0];
+ /* check case of returned rpc entry */
+ if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+ {
+ for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+ /* nothing here */ ;
+ if (aliases[i]==NULL)
+ return 0; /* neither the name nor any of the aliases matched */
+ }
/* get the rpc number */
numbers=myldap_get_values(entry,attmap_rpc_oncRpcNumber);
if ((numbers==NULL)||(numbers[0]==NULL))
@@ -156,7 +165,7 @@
log_log(LOG_DEBUG,"nslcd_rpc_byname(%s)",name);,
NSLCD_ACTION_RPC_BYNAME,
mkfilter_rpc_byname(name,filter,sizeof(filter)),
- write_rpc(fp,entry)
+ write_rpc(fp,entry,name)
)
NSLCD_HANDLE(
@@ -167,7 +176,7 @@
log_log(LOG_DEBUG,"nslcd_rpc_bynumber(%d)",number);,
NSLCD_ACTION_RPC_BYNUMBER,
mkfilter_rpc_bynumber(number,filter,sizeof(filter)),
- write_rpc(fp,entry)
+ write_rpc(fp,entry,NULL)
)
NSLCD_HANDLE(
@@ -177,5 +186,5 @@
log_log(LOG_DEBUG,"nslcd_rpc_all()");,
NSLCD_ACTION_RPC_ALL,
(filter=rpc_filter,0),
- write_rpc(fp,entry)
+ write_rpc(fp,entry,NULL)
)
diff -Nru nss-ldapd-0.6.7.1/nslcd/service.c nss-ldapd-0.6.7.2/nslcd/service.c
--- nss-ldapd-0.6.7.1/nslcd/service.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/service.c 2009-11-05 21:34:55.000000000 +0100
@@ -125,14 +125,14 @@
service_attrs[3]=NULL;
}
-static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqprotocol)
+static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,
+ const char *reqname,const char *reqprotocol)
{
int32_t tmpint32,tmp2int32,tmp3int32;
const char *name;
const char **aliases;
const char **ports;
const char **protocols;
- const char *tmparr[2];
char *tmp;
int port;
int i;
@@ -149,6 +149,14 @@
/* if the service name is not yet found, get the first entry */
if (name==NULL)
name=aliases[0];
+ /* check case of returned servies entry */
+ if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+ {
+ for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+ /* nothing here */ ;
+ if (aliases[i]==NULL)
+ return 0; /* neither the name nor any of the aliases matched */
+ }
/* get the service number */
ports=myldap_get_values(entry,attmap_service_ipServicePort);
if ((ports==NULL)||(ports[0]==NULL))
@@ -170,31 +178,23 @@
return 0;
}
/* get protocols */
- if ((reqprotocol!=NULL)&&(*reqprotocol!='\0'))
- {
- protocols=tmparr;
- protocols[0]=reqprotocol;
- protocols[1]=NULL;
- }
- else
+ protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol);
+ if ((protocols==NULL)||(protocols[0]==NULL))
{
- protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol);
- if ((protocols==NULL)||(protocols[0]==NULL))
- {
- log_log(LOG_WARNING,"service entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_service_ipServiceProtocol);
- return 0;
- }
+ log_log(LOG_WARNING,"service entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_service_ipServiceProtocol);
+ return 0;
}
/* write the entries */
for (i=0;protocols[i]!=NULL;i++)
- {
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,name);
- WRITE_STRINGLIST_EXCEPT(fp,aliases,name);
- WRITE_INT32(fp,port);
- WRITE_STRING(fp,protocols[i]);
- }
+ if ((reqprotocol==NULL)||(*reqprotocol=='\0')||(strcmp(reqprotocol,protocols[i])==0))
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,name);
+ WRITE_STRINGLIST_EXCEPT(fp,aliases,name);
+ WRITE_INT32(fp,port);
+ WRITE_STRING(fp,protocols[i]);
+ }
return 0;
}
@@ -208,7 +208,7 @@
log_log(LOG_DEBUG,"nslcd_service_byname(%s,%s)",name,protocol);,
NSLCD_ACTION_SERVICE_BYNAME,
mkfilter_service_byname(name,protocol,filter,sizeof(filter)),
- write_service(fp,entry,protocol)
+ write_service(fp,entry,name,protocol)
)
NSLCD_HANDLE(
@@ -221,7 +221,7 @@
log_log(LOG_DEBUG,"nslcd_service_bynumber(%d,%s)",number,protocol);,
NSLCD_ACTION_SERVICE_BYNUMBER,
mkfilter_service_bynumber(number,protocol,filter,sizeof(filter)),
- write_service(fp,entry,protocol)
+ write_service(fp,entry,NULL,protocol)
)
NSLCD_HANDLE(
@@ -231,5 +231,5 @@
log_log(LOG_DEBUG,"nslcd_service_all()");,
NSLCD_ACTION_SERVICE_ALL,
(filter=service_filter,0),
- write_service(fp,entry,NULL)
+ write_service(fp,entry,NULL,NULL)
)
diff -Nru nss-ldapd-0.6.7.1/nslcd/shadow.c nss-ldapd-0.6.7.2/nslcd/shadow.c
--- nss-ldapd-0.6.7.1/nslcd/shadow.c 2009-03-21 09:40:45.000000000 +0100
+++ nss-ldapd-0.6.7.2/nslcd/shadow.c 2009-11-05 21:34:55.000000000 +0100
@@ -190,7 +190,6 @@
static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
{
int32_t tmpint32;
- const char *tmparr[2];
const char **tmpvalues;
char *tmp;
const char **usernames;
@@ -204,21 +203,12 @@
unsigned long flag;
int i;
/* get username */
- if (requser!=NULL)
+ usernames=myldap_get_values(entry,attmap_shadow_uid);
+ if ((usernames==NULL)||(usernames[0]==NULL))
{
- usernames=tmparr;
- usernames[0]=requser;
- usernames[1]=NULL;
- }
- else
- {
- usernames=myldap_get_values(entry,attmap_shadow_uid);
- if ((usernames==NULL)||(usernames[0]==NULL))
- {
- log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
- myldap_get_dn(entry),attmap_shadow_uid);
- return 0;
- }
+ log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_shadow_uid);
+ return 0;
}
/* get password */
passwd=get_userpassword(entry,attmap_shadow_userPassword);
@@ -247,18 +237,19 @@
}
/* write the entries */
for (i=0;usernames[i]!=NULL;i++)
- {
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,usernames[i]);
- WRITE_STRING(fp,passwd);
- WRITE_INT32(fp,lastchangedate);
- WRITE_INT32(fp,mindays);
- WRITE_INT32(fp,maxdays);
- WRITE_INT32(fp,warndays);
- WRITE_INT32(fp,inactdays);
- WRITE_INT32(fp,expiredate);
- WRITE_INT32(fp,flag);
- }
+ if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,usernames[i]);
+ WRITE_STRING(fp,passwd);
+ WRITE_INT32(fp,lastchangedate);
+ WRITE_INT32(fp,mindays);
+ WRITE_INT32(fp,maxdays);
+ WRITE_INT32(fp,warndays);
+ WRITE_INT32(fp,inactdays);
+ WRITE_INT32(fp,expiredate);
+ WRITE_INT32(fp,flag);
+ }
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/README nss-ldapd-0.6.7.2/README
--- nss-ldapd-0.6.7.1/README 2009-03-21 09:40:47.000000000 +0100
+++ nss-ldapd-0.6.7.2/README 2009-11-05 21:37:03.000000000 +0100
@@ -320,14 +320,25 @@
groups, as well as the memberOf attribute in posixAccount entries are
unsupported.
-MISC NOTES
-==========
+case sensitivity
+----------------
Most values in the NSS databases are considered case-sensitive (e.g. the user
-"Foo" is a different user from "foo"). Values in an LDAP database are however
-case-insensitive. This may cause problems in some corner cases, especially
-when nscd is used for caching. For example, when doing a lookup for the user
-"Foo" the user "foo" will be returned if it exists in the database.
+"Foo" is a different user from the user "foo"). Values in an LDAP database are
+however cosidered case-insensitive. nss-ldapd tries to solve this problem by
+adding an extra filtering layer and ensure that e.g. when looking for the user
+"foo" it will not return a user "Foo" that is found in LDAP.
+
+For the group, netgroup, passwd, protocols, rpc, services and shadow maps the
+matches will be checked case-sensitively and for aliases, ethers, hosts and
+networks matches will be case-insensitive (this seems to be what Glibc is
+doing currently with flat files). Only searching for groups by member the
+username matching is done case-insensitive. Note that in all cases the
+case-use in the LDAP directory is returned.
+
+Note however that having entries that only differ in case is a bad idea and
+will likely get you in trouble. One example of such a problem is that the DN
+uid=test,dc=example,dc=com is the same as uid=TEST,dc=example,dc=com.
REPORTING BUGS
Attachment:
signature.asc
Description: This is a digitally signed message part