lists.arthurdejong.org
RSS feed

Re: No output from getent netgroup

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: No output from getent netgroup



On Sat, 2022-08-20 at 17:11 +0200, Per Foreby wrote:
> If I use the same searchbase and filter with ldapsearch it looks
> fine:
[...]
> dn: cn=meitnerc,ou=Netgroup,dc=student,dc=lth,dc=se
> objectClass: top
> objectClass: nisNetgroup
> cn:: bWVpdG5lcmMgICAg
[...]
> Any clue to what the problem is? Could it have something to do with
> our openldap returning cn base64 encoded?

Yes. The cn attribute, as stored, actually has four trailing spaces
(returned value is "meitnerc    "). The results returned by the LDAP
server are more critically inspected by nslcd in general than other
implementations (and some LDAP search operations are also more
lenient).

The main reason for this extra check to see if returned entries match
the original request is to avoid some confusion in lookups. Since most
of the properties returned are used as some kind of security identifier
it is extra important to be extra careful here. In the traditional case
the netgroups "foo" and "foo " would be considered two different
netgroups (just like they would be considered different user or group
names).

Some more background can be found here:
https://arthurdejong.org/nss-pam-ldapd/news2009#20091122

It may be possible to disable some of the checks using the ignorecase
and validnames options but I don't think that disables the check to
consider two strings that differ in number of spaces to be equal. The
proper fix is to ensure the value as stored in LDAP does not have
trailing spaces.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --