[Samba] Re: getpwnam() fails! (with working nss_ldap setup)

Andrew Bartlett abartlet at samba.org
Sat Mar 6 00:14:48 GMT 2004

On Sat, 2004-03-06 at 06:07, M. Vancl wrote:
> I have the same experience.
> IMHO problem is in access rights to password attributes on ldap (slapd).

I doubt that.  

> Recomended access to userPassword for anonymous is only auth (it's right
> policy). Recommended configuration of  nss_ldap is to use anonymous bind for
> non-root processes (and it is also right policy). Then when getpwnam() is
> called by unprivileged process and nss_ldap try to read attribute
> userPassword among others from posixAccount, this must be unsuccessfull
> attempt (and it is right but wrong to me).
> What to do ? I think, it is mistake in nss_ldap behaviour. It must omit
> userPassword attribute from readed attributes when called by nonprivileged
> process.
> My solution is simple, but wrong - weaken of access restrictions to password
> attribute or bind to ldap as "manager" for all users.

This is indeed the wrong solution, and unless your nss_ldap is much
buggier than the one used at every other site, I don't think this is the

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040306/be3553a0/attachment.bin

More information about the samba mailing list