RSS feed

Re: Problem with case filtering in nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Problem with case filtering in nss-pam-ldapd

Hi Arthur,

This was a problem for us as well, so I took your advice and created a patch 
against 0.8.6 implementing a new "ignorecase" config option that switches 
between doing strcmp and strcasecmp in group, netgroup, passwd, protocols, rpc, 
services and shadow maps. It seemed clearest to implement this as a macro, but 
maybe there's a better way. :-)

Have a look and let me know if you have questions, suggestions for 
changes/improvement, etc.

We also would like the ability for certain values (uid, gid and homeDirectory) 
to always be returned as lower-case. For example, we use sAMAccountName as uid, 
which in some cases is something like John_A_Smith. We then construct 
homeDirectory with "/remote/home/${sAMAccountName}", but the actual remote nfs 
directories are lower-case so things don't work quite right. I've hacked our 
current nslcd to lower-case any returns of the sAMAccountName attribute in 
myldap.c, which works, but isn't very elegant.

I'm thinking that this could be implemented as yet another config file option 
(a "set" like ignoreusers) to list which fields should be lower-cased. Actually 
implementing this, however, is probably non-trivial. If you have any 
suggestions to make this easier, let me know.

Thanks for all your work on this project!

-Matt Dailey

Attachment: ignorecase.diff.gz
Description: GNU Zip compressed data

On Feb 29, 2012, at 5:02 PM, Arthur de Jong wrote:

> On Tue, 2012-02-28 at 16:46 +0100, Klaus Steinberger wrote:
>> So what I like to have is to have this filtering configurable in nslcd.conf, 
>> so
>> we can switch it off. I think this should be easy to implement. What do you 
>> think?
> It shouldn't be too hard. The change that originally implemented the
> case-sensitive filtering should provide some pointers on what to modify:
> Note however that disabling this filter is a security risk as described
> here:
> I would welcome a patch that implements a configuration option for this
> though.
> Kind regards,
> -- 
> -- arthur - - --
> -- 
> To unsubscribe send an email to
> or see

To unsubscribe send an email to or see