-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support not setting a base in nslcd.conf #50
Comments
You might get away with searching on |
Hello, Limiting to
... as opposed to:
Note how the base changes between |
The empty base ("") is a perfectly valid base for LDAP, if nslcd does not support it, then that's a bug in nslcd. |
@quanah thanks for the explanation. How is an empty base normally configured in ldap.conf? The manual page suggests to not use double quotes so this seems invalid:
this also seems weird (no idea if this is valid at all):
Is having an empty base a reasonable default value (nslcd now falls back to getting the naming context form the rootDSE)? |
After adding olcDefaultSearchBase to the olcFrontendConfig object it worked! |
It's not necessary to do the above if the server is configured to serve from the empty base (i.e., the database has suffix ""). That's an uncommon configuration. However, the empty base is always present, but provides minimal information, and you have to scope the search appropriately, i.e.: ldapsearch ... -s base -b "" when the suffix of the database is something other than "" (like dc=example,dc=com or whatever). |
Pkgsrc changes: * Fix coloumn alignment to appease pkglint * Fix phase for usergroup substitution (pkglint hint) * Remove all symlinks installed in base system on NetBSD Upstream changes: 2021-11-19 Arthur de Jong <arthur@arthurdejong.org> * [6e7e878] man/nslcd.conf.5.xml, nslcd/cfg.c: Support DNSLDAPS in uri This supports both `uri DNSLDAPS` and `uri DNSLDAPS:some.domain` variants alongside the pre-existing `uri DNS` that was already supported generating ldaps URIs for all SRV records found. 2021-11-15 Arthur de Jong <arthur@arthurdejong.org> * [70819ae] configure.ac, tests/common.h: Fix internal assertion function detection on Solaris 2021-11-15 Arthur de Jong <arthur@arthurdejong.org> * [7b2a7fe] INSTALL, ar-lib, compile, depcomp, missing, py-compile, test-driver: Update files from latest automake 2021-11-14 Arthur de Jong <arthur@arthurdejong.org> * [9edf95c] tests/test.ldif, tests/test_ldapcmds.sh, tests/test_nsscmds.sh: Do not use user arthur in tests This makes it more complicated to run the tests on an environment where a local user arthur exists. 2021-11-14 Arthur de Jong <arthur@arthurdejong.org> * [2862447] pynslcd/mypidfile.py: Fix running pynslcd without uid option Fixes 65695aa 2021-06-04 Ryan Tandy <ryan@nardis.ca> * [15f67be] tests/config.ldif, tests/setup_slapd.sh: Support running tests with OpenLDAP 2.5 - Change database backend to LMDB - Load external ppolicy schema conditionally 2021-11-03 Arthur de Jong <arthur@arthurdejong.org> * [4c46eef] .github/workflows/test.yml: Configure CodeQL code scanning 2021-11-01 Arthur de Jong <arthur@arthurdejong.org> * [906035b] man/nslcd.conf.5.xml, nslcd/cfg.c, tests/test_cfg.c: Support an empty search base This allows putting `base ""` in nslcd.conf to specify an empty search base. Note that the LDAP server needs to support this. With slapd this requires setting up an olcDefaultSearchBase attribute in the olcFrontendConfig object under cn=config or have the database have an empty suffix. Closes arthurdejong/nss-pam-ldapd#50 2021-10-17 Arthur de Jong <arthur@arthurdejong.org> * [7d81616] common/expr.c, tests/test_expr.c: Support minus character in attribute expressions This requires the attribute name is contained within a ${var-name} expression. 2021-05-25 Arthur de Jong <arthur@arthurdejong.org> * [6d5a2eb] nslcd/myldap.c: Retry connecting to the first URI after idle_timelimit This ensures that a connection to the first URI listed in the config file will be re-established once the connection is closed cleanly after the idle time. This ensures that the listed URIs are handled more in a primary/fallback manner if an idle time is configured. Closes arthurdejong/nss-pam-ldapd#46 2021-05-26 Arthur de Jong <arthur@arthurdejong.org> * [5226a6f] .github/workflows/test.yml, .travis.yml, tests/setup_slapd.sh, tests/test_nsscmds.sh: Replace Travis with GitHub actions This includes a few tweaks to the test scripts to make debugging easier and to avoid issues on Github action runners. 2021-01-23 Arthur de Jong <arthur@arthurdejong.org> * [d9710a2] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_reqsan to check certificate SAN This option is passed to the LDAP library if it is supported. 2021-01-23 Arthur de Jong <arthur@arthurdejong.org> * [026f08c] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_crlfile to check local CRL file This option is passed to the LDAP library if it is supported. 2021-01-18 sebastienblavier <72022031+sebastienblavier@users.noreply.github.com> * [78c00f1] man/nslcd.conf.5.xml, nslcd.conf, nslcd/cfg.c: Add tls_crlcheck to check Certificate Revocation List This option is passed to the LDAP library if it is supported. Closes arthurdejong/nss-pam-ldapd#41 2021-01-17 Arthur de Jong <arthur@arthurdejong.org> * [d55bdb2] Makefile.am: Use the provided Python for `make distcheck` This ensures that if a Python interpreter was previously supplied to configure it is also used for subsequent calls to run a distribution check. 2021-01-17 Arthur de Jong <arthur@arthurdejong.org> * [b7b812f] ar-lib, compile, depcomp, install-sh, missing, mkinstalldirs, py-compile, test-driver: Update files from latest automake 2020-09-11 Arthur de Jong <arthur@arthurdejong.org> * [37a00e9] nslcd/myldap.c: Fix handling of the pam_authc_ppolicy option Check the result of the BIND operation instead of that of the ldap_result() call when pam_authc_ppolicy is set to "no". This could have resulted in successful authentication if the BIND operation to the LDAP server timed out and pam_authc_ppolicy was set to "no" but should not result in successful authentication otherwise so it is unlikely that setting pam_authc_ppolicy to "no" ever worked as intended. The timeout also would have to occur on the BIND operation, not on setting up the connection. Fixes 31cd2cf 2020-04-19 Arthur de Jong <arthur@arthurdejong.org> * [18740fb] README: Fix typo Thanks Filip Dvorak See https://bugzilla.redhat.com/show_bug.cgi?id=1825240 2020-02-10 Arthur de Jong <arthur@arthurdejong.org> * [b335518] man/nslcd.conf.5.xml: Fix typo in manual page Thanks Benedict Reuschling for pointing this out. Closes arthurdejong/nss-pam-ldapd#39 Fixes b93838d 2019-11-11 Arthur de Jong <arthur@arthurdejong.org> * [548efe5] nslcd/myldap.c: Log the correct timeout value This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the bind_timelimit option instead of the timelimit option. 2019-10-13 Arthur de Jong <arthur@arthurdejong.org> * [fea0f5e] pynslcd/cfg.py, pynslcd/pam.py: Add pam_authc_ppolicy support in pynslcd See https://bugs.debian.org/900253 2019-10-13 Arthur de Jong <arthur@arthurdejong.org> * [1025d5d] utils/chsh.py, utils/shells.py: Fix Python 3 compatibility in chsh.ldap 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [c4daf27] AUTHORS, ChangeLog, NEWS, configure.ac, man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml, man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml, nslcd/nslcd.c, utils/cmdline.py: Get files ready for 0.9.11 release 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [69922e3] tests/test_doctest.sh: Fix Python interpreter detection in tests Fixes 644bc62 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [62522b9] tests/test_nsscmds.sh: Portability improvements to test suite Some test systems have more local users and some systems prefer IPv4 addresses over IPv6 addresses. 2019-09-17 Arthur de Jong <arthur@arthurdejong.org> * [a8f4ed8] NEWS, common/expr.c, common/nslcd-prot.c, common/nslcd-prot.h, common/tio.c, compat/attrs.h, compat/ether.c, compat/getopt_long.c, compat/getopt_long.h, compat/getpeercred.h, compat/nss_compat.h, configure.ac, man/nslcd.conf.5.xml, nslcd.h, nslcd/attmap.h, nslcd/common.h, nslcd/daemonize.h, nslcd/invalidator.c, nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c, nslcd/passwd.c, nss/common.h, nss/hosts.c, nss/prototypes.h, pam/common.h, tests/common.h, tests/test_pynslcd_cache.py, tests/test_tio.c, utils/getent.py: Various spelling fixes 2019-09-10 Arthur de Jong <arthur@arthurdejong.org> * [644bc62] .travis.yml, tests/test_doctest.sh: Fix Python interpreter detection Apparently some environments provide certain Python executables which are not working Python interpreters. 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [768c4be] .gitignore, Makefile.am: Remove confinc.out which is left behind by aclocal.m4 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [0252b05] pynslcd/shadow.py: Correctly validate shadow requests and responses 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [cd887ef] pynslcd/Makefile.am, utils/Makefile.am: Update Python interpreter in installed scripts Ensure that the Python interpreter that is passed to configure ends up in the shebang of the Python scripts. This allows one to pass PYTHON=python3 to configure to install the scripts using the Python 3 interpreter. 2019-09-07 Arthur de Jong <arthur@arthurdejong.org> * [d717795] .gitignore, pynslcd/alias.py, pynslcd/attmap.py, pynslcd/cache.py, pynslcd/cfg.py, pynslcd/common.py, pynslcd/ether.py, pynslcd/expr.py, pynslcd/group.py, pynslcd/host.py, pynslcd/invalidator.py, pynslcd/mypidfile.py, pynslcd/netgroup.py, pynslcd/network.py, pynslcd/pam.py, pynslcd/passwd.py, pynslcd/protocol.py, pynslcd/pynslcd.py, pynslcd/rpc.py, pynslcd/search.py, pynslcd/service.py, pynslcd/shadow.py, pynslcd/tio.py, tests/Makefile.am, tests/flake8.ini, tests/test_flake8.sh, tests/test_pynslcd_cache.py, utils/chsh.py, utils/getent.py, utils/nslcd.py, utils/users.py: Improve Python code style This also adds a flake8 test that checks code style. Note that this test is not run by default because it requires network access to create the virtualenv with the test software. 2019-09-02 Arthur de Jong <arthur@arthurdejong.org> * [221ce5a] configure.ac, pynslcd/Makefile.am, pynslcd/attmap.py, pynslcd/cache.py, pynslcd/cfg.py, pynslcd/common.py, pynslcd/expr.py, pynslcd/invalidator.py, pynslcd/mypidfile.py, pynslcd/pam.py, pynslcd/pynslcd.py, pynslcd/search.py, pynslcd/tio.py, pynslcd/usermod.py, tests/Makefile.am, tests/test_doctest.sh, tests/test_ldapcmds.sh, tests/test_pycompile.sh, tests/test_pylint.sh, tests/test_pynslcd_cache.py, utils/Makefile.am, utils/getent.py, utils/nslcd.py: Add Python 3 support This ensures that both pynslcd and the command-line utilities work with Python3 as interpreter and runs some tests with all installed Python interpreters. This drops support for Python 2.6 and extends 5a84be2 to perform more testing with Python 3. 2018-09-08 Arthur de Jong <arthur@arthurdejong.org> * [06ee886] nslcd/nslcd.c: Avoid logging unknown socket peer information This avoids logging the client PID when the underlying socker layer cannot provide the relevant information. 2018-09-05 Mizunashi Mana <mizunashi-mana@noreply.git> * [bfcf002] utils/shells.py: Fix crash in chsh.ldap Specify result type of getusershell. Closes arthurdejong/nss-pam-ldapd#31
This allows putting `base ""` in nslcd.conf to specify an empty search base. Note that the LDAP server needs to support this. With slapd this requires setting up an olcDefaultSearchBase attribute in the olcFrontendConfig object under cn=config or have the database have an empty suffix. Closes arthurdejong/nss-pam-ldapd#50
Hello,
In the LDAP directory I am using there are accounts (passwd entries) spread over multiple top-level bases in the tree. This makes it tricky to define a base. Currently we are just configuring multiple bases, one for each top-level directory, which of course leads to doing multiple lookups for each thing being looked up which is mostly just adding extra queries for no real gain.
I have not been able to figure out a way to define an "empty" base. Leaving it out is not possible, and setting it to
""
or''
does not work either. Is there a way? Should there be a way?The text was updated successfully, but these errors were encountered: