Support not setting a base in nslcd.conf #50
Comments
|
You might get away with searching on |
|
Hello, Limiting to
... as opposed to: Note how the base changes between |
|
The empty base ("") is a perfectly valid base for LDAP, if nslcd does not support it, then that's a bug in nslcd. |
|
@quanah thanks for the explanation. How is an empty base normally configured in ldap.conf? The manual page suggests to not use double quotes so this seems invalid: this also seems weird (no idea if this is valid at all): Is having an empty base a reasonable default value (nslcd now falls back to getting the naming context form the rootDSE)? |
|
After adding olcDefaultSearchBase to the olcFrontendConfig object it worked! |
|
It's not necessary to do the above if the server is configured to serve from the empty base (i.e., the database has suffix ""). That's an uncommon configuration. However, the empty base is always present, but provides minimal information, and you have to scope the search appropriately, i.e.: ldapsearch ... -s base -b "" when the suffix of the database is something other than "" (like dc=example,dc=com or whatever). |
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this issue
Nov 28, 2021
Pkgsrc changes:
* Fix coloumn alignment to appease pkglint
* Fix phase for usergroup substitution (pkglint hint)
* Remove all symlinks installed in base system on NetBSD
Upstream changes:
2021-11-19 Arthur de Jong <arthur@arthurdejong.org>
* [6e7e878] man/nslcd.conf.5.xml, nslcd/cfg.c: Support DNSLDAPS
in uri
This supports both `uri DNSLDAPS` and `uri DNSLDAPS:some.domain`
variants alongside the pre-existing `uri DNS` that was already
supported generating ldaps URIs for all SRV records found.
2021-11-15 Arthur de Jong <arthur@arthurdejong.org>
* [70819ae] configure.ac, tests/common.h: Fix internal assertion
function detection on Solaris
2021-11-15 Arthur de Jong <arthur@arthurdejong.org>
* [7b2a7fe] INSTALL, ar-lib, compile, depcomp, missing, py-compile,
test-driver: Update files from latest automake
2021-11-14 Arthur de Jong <arthur@arthurdejong.org>
* [9edf95c] tests/test.ldif, tests/test_ldapcmds.sh,
tests/test_nsscmds.sh: Do not use user arthur in tests
This makes it more complicated to run the tests on an environment
where a local user arthur exists.
2021-11-14 Arthur de Jong <arthur@arthurdejong.org>
* [2862447] pynslcd/mypidfile.py: Fix running pynslcd without
uid option
Fixes 65695aa
2021-06-04 Ryan Tandy <ryan@nardis.ca>
* [15f67be] tests/config.ldif, tests/setup_slapd.sh: Support
running tests with OpenLDAP 2.5
- Change database backend to LMDB - Load external ppolicy schema
conditionally
2021-11-03 Arthur de Jong <arthur@arthurdejong.org>
* [4c46eef] .github/workflows/test.yml: Configure CodeQL code
scanning
2021-11-01 Arthur de Jong <arthur@arthurdejong.org>
* [906035b] man/nslcd.conf.5.xml, nslcd/cfg.c, tests/test_cfg.c:
Support an empty search base
This allows putting `base ""` in nslcd.conf to specify an empty
search base.
Note that the LDAP server needs to support this. With slapd this
requires setting up an olcDefaultSearchBase attribute in the
olcFrontendConfig object under cn=config or have the database
have an empty suffix.
Closes arthurdejong/nss-pam-ldapd#50
2021-10-17 Arthur de Jong <arthur@arthurdejong.org>
* [7d81616] common/expr.c, tests/test_expr.c: Support minus
character in attribute expressions
This requires the attribute name is contained within a ${var-name}
expression.
2021-05-25 Arthur de Jong <arthur@arthurdejong.org>
* [6d5a2eb] nslcd/myldap.c: Retry connecting to the first URI
after idle_timelimit
This ensures that a connection to the first URI listed in the
config file will be re-established once the connection is closed
cleanly after the idle time.
This ensures that the listed URIs are handled more in a
primary/fallback manner if an idle time is configured.
Closes arthurdejong/nss-pam-ldapd#46
2021-05-26 Arthur de Jong <arthur@arthurdejong.org>
* [5226a6f] .github/workflows/test.yml, .travis.yml,
tests/setup_slapd.sh, tests/test_nsscmds.sh: Replace Travis with
GitHub actions
This includes a few tweaks to the test scripts to make debugging
easier and to avoid issues on Github action runners.
2021-01-23 Arthur de Jong <arthur@arthurdejong.org>
* [d9710a2] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_reqsan to
check certificate SAN
This option is passed to the LDAP library if it is supported.
2021-01-23 Arthur de Jong <arthur@arthurdejong.org>
* [026f08c] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_crlfile to
check local CRL file
This option is passed to the LDAP library if it is supported.
2021-01-18 sebastienblavier
<72022031+sebastienblavier@users.noreply.github.com>
* [78c00f1] man/nslcd.conf.5.xml, nslcd.conf, nslcd/cfg.c: Add
tls_crlcheck to check Certificate Revocation List
This option is passed to the LDAP library if it is supported.
Closes arthurdejong/nss-pam-ldapd#41
2021-01-17 Arthur de Jong <arthur@arthurdejong.org>
* [d55bdb2] Makefile.am: Use the provided Python for `make distcheck`
This ensures that if a Python interpreter was previously
supplied to configure it is also used for subsequent calls to
run a distribution check.
2021-01-17 Arthur de Jong <arthur@arthurdejong.org>
* [b7b812f] ar-lib, compile, depcomp, install-sh, missing,
mkinstalldirs, py-compile, test-driver: Update files from
latest automake
2020-09-11 Arthur de Jong <arthur@arthurdejong.org>
* [37a00e9] nslcd/myldap.c: Fix handling of the pam_authc_ppolicy
option
Check the result of the BIND operation instead of that of the
ldap_result() call when pam_authc_ppolicy is set to "no".
This could have resulted in successful authentication if the BIND
operation to the LDAP server timed out and pam_authc_ppolicy was
set to "no" but should not result in successful authentication
otherwise so it is unlikely that setting pam_authc_ppolicy to
"no" ever worked as intended. The timeout also would have to
occur on the BIND operation, not on setting up the connection.
Fixes 31cd2cf
2020-04-19 Arthur de Jong <arthur@arthurdejong.org>
* [18740fb] README: Fix typo
Thanks Filip Dvorak
See https://bugzilla.redhat.com/show_bug.cgi?id=1825240
2020-02-10 Arthur de Jong <arthur@arthurdejong.org>
* [b335518] man/nslcd.conf.5.xml: Fix typo in manual page
Thanks Benedict Reuschling for pointing this out.
Closes arthurdejong/nss-pam-ldapd#39
Fixes b93838d
2019-11-11 Arthur de Jong <arthur@arthurdejong.org>
* [548efe5] nslcd/myldap.c: Log the correct timeout value
This fixes logging of the LDAP_OPT_TIMEOUT,
LDAP_OPT_NETWORK_TIMEOUT and LDAP_X_OPT_CONNECT_TIMEOUT options
to actually log the value of the bind_timelimit option instead
of the timelimit option.
2019-10-13 Arthur de Jong <arthur@arthurdejong.org>
* [fea0f5e] pynslcd/cfg.py, pynslcd/pam.py: Add pam_authc_ppolicy
support in pynslcd
See https://bugs.debian.org/900253
2019-10-13 Arthur de Jong <arthur@arthurdejong.org>
* [1025d5d] utils/chsh.py, utils/shells.py: Fix Python 3
compatibility in chsh.ldap
2019-10-06 Arthur de Jong <arthur@arthurdejong.org>
* [c4daf27] AUTHORS, ChangeLog, NEWS, configure.ac,
man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml,
nslcd/nslcd.c, utils/cmdline.py: Get files ready for 0.9.11 release
2019-10-06 Arthur de Jong <arthur@arthurdejong.org>
* [69922e3] tests/test_doctest.sh: Fix Python interpreter detection
in tests
Fixes 644bc62
2019-10-06 Arthur de Jong <arthur@arthurdejong.org>
* [62522b9] tests/test_nsscmds.sh: Portability improvements to
test suite
Some test systems have more local users and some systems prefer
IPv4 addresses over IPv6 addresses.
2019-09-17 Arthur de Jong <arthur@arthurdejong.org>
* [a8f4ed8] NEWS, common/expr.c, common/nslcd-prot.c,
common/nslcd-prot.h, common/tio.c, compat/attrs.h, compat/ether.c,
compat/getopt_long.c, compat/getopt_long.h, compat/getpeercred.h,
compat/nss_compat.h, configure.ac, man/nslcd.conf.5.xml,
nslcd.h, nslcd/attmap.h, nslcd/common.h, nslcd/daemonize.h,
nslcd/invalidator.c, nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c,
nslcd/passwd.c, nss/common.h, nss/hosts.c, nss/prototypes.h,
pam/common.h, tests/common.h, tests/test_pynslcd_cache.py,
tests/test_tio.c, utils/getent.py: Various spelling fixes
2019-09-10 Arthur de Jong <arthur@arthurdejong.org>
* [644bc62] .travis.yml, tests/test_doctest.sh: Fix Python
interpreter detection
Apparently some environments provide certain Python executables
which are not working Python interpreters.
2019-09-08 Arthur de Jong <arthur@arthurdejong.org>
* [768c4be] .gitignore, Makefile.am: Remove confinc.out which is
left behind by aclocal.m4
2019-09-08 Arthur de Jong <arthur@arthurdejong.org>
* [0252b05] pynslcd/shadow.py: Correctly validate shadow requests
and responses
2019-09-08 Arthur de Jong <arthur@arthurdejong.org>
* [cd887ef] pynslcd/Makefile.am, utils/Makefile.am: Update Python
interpreter in installed scripts
Ensure that the Python interpreter that is passed to configure
ends up in the shebang of the Python scripts.
This allows one to pass PYTHON=python3 to configure to install
the scripts using the Python 3 interpreter.
2019-09-07 Arthur de Jong <arthur@arthurdejong.org>
* [d717795] .gitignore, pynslcd/alias.py,
pynslcd/attmap.py, pynslcd/cache.py, pynslcd/cfg.py,
pynslcd/common.py, pynslcd/ether.py, pynslcd/expr.py,
pynslcd/group.py, pynslcd/host.py, pynslcd/invalidator.py,
pynslcd/mypidfile.py, pynslcd/netgroup.py, pynslcd/network.py,
pynslcd/pam.py, pynslcd/passwd.py, pynslcd/protocol.py,
pynslcd/pynslcd.py, pynslcd/rpc.py, pynslcd/search.py,
pynslcd/service.py, pynslcd/shadow.py, pynslcd/tio.py,
tests/Makefile.am, tests/flake8.ini, tests/test_flake8.sh,
tests/test_pynslcd_cache.py, utils/chsh.py, utils/getent.py,
utils/nslcd.py, utils/users.py: Improve Python code style
This also adds a flake8 test that checks code style. Note that
this test is not run by default because it requires network
access to create the virtualenv with the test software.
2019-09-02 Arthur de Jong <arthur@arthurdejong.org>
* [221ce5a] configure.ac, pynslcd/Makefile.am, pynslcd/attmap.py,
pynslcd/cache.py, pynslcd/cfg.py, pynslcd/common.py,
pynslcd/expr.py, pynslcd/invalidator.py, pynslcd/mypidfile.py,
pynslcd/pam.py, pynslcd/pynslcd.py, pynslcd/search.py,
pynslcd/tio.py, pynslcd/usermod.py, tests/Makefile.am,
tests/test_doctest.sh, tests/test_ldapcmds.sh,
tests/test_pycompile.sh, tests/test_pylint.sh,
tests/test_pynslcd_cache.py, utils/Makefile.am, utils/getent.py,
utils/nslcd.py: Add Python 3 support
This ensures that both pynslcd and the command-line utilities
work with Python3 as interpreter and runs some tests with all
installed Python interpreters.
This drops support for Python 2.6 and extends 5a84be2 to perform
more testing with Python 3.
2018-09-08 Arthur de Jong <arthur@arthurdejong.org>
* [06ee886] nslcd/nslcd.c: Avoid logging unknown socket peer
information
This avoids logging the client PID when the underlying socker
layer cannot provide the relevant information.
2018-09-05 Mizunashi Mana <mizunashi-mana@noreply.git>
* [bfcf002] utils/shells.py: Fix crash in chsh.ldap
Specify result type of getusershell.
Closes arthurdejong/nss-pam-ldapd#31
anodos325
pushed a commit
to truenas/nss-pam-ldapd
that referenced
this issue
Jun 2, 2022
This allows putting `base ""` in nslcd.conf to specify an empty search base. Note that the LDAP server needs to support this. With slapd this requires setting up an olcDefaultSearchBase attribute in the olcFrontendConfig object under cn=config or have the database have an empty suffix. Closes arthurdejong/nss-pam-ldapd#50
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
In the LDAP directory I am using there are accounts (passwd entries) spread over multiple top-level bases in the tree. This makes it tricky to define a base. Currently we are just configuring multiple bases, one for each top-level directory, which of course leads to doing multiple lookups for each thing being looked up which is mostly just adding extra queries for no real gain.
I have not been able to figure out a way to define an "empty" base. Leaving it out is not possible, and setting it to
""or''does not work either. Is there a way? Should there be a way?The text was updated successfully, but these errors were encountered: