Package: libnss-ldapd
Version: 0.6
Severity: important
When trying to use libnss-ldapd with a LDAP server with very many
groups that refuses to return a very large data set, the
setgrent()/getgrent()/endgrent() API do not work properly. It fail to
return all groups. I've seen two variations of this problem, one
where a OpenLDAP server refuses to return any data if the search
result set is to large, and one where a Active Directory LDAP server
only return the first 1000 entries in the result set. This leads to
commands like 'id username', 'groups username' and others failing to
report the correct group membership for a user.
Here is the example output from an OpenLDAP server:
% ldapsearch -LLL -h ldap -b cn=system,dc=example,dc=org -x \
"(objectClass=posixGroup)"
Administrative limit exceeded (11)
%
And here is an example from an AD LDAP server:
% ldapsearch -LLL -h adserver -D "exampleuser" -w secret -b \
cn=users,dc=example,dc=org -x "(objectClass=group)" cn
[... 1000 group entries ...]
Size limit exceeded (4)
%
Both of these searches are equivalent to the search done by nss-ldapd
when the setgrent()/ getgrent()/endgrent() API is used.
Is there some way to get nss-ldapd to extract the result set in lumps
(say 500 at the time or similar), to make sure it does not fail to
look up all groups because of such LDAP server setting? Without such
setting, the getgrent() POSIX call can not work properly with the LDAP
servers here at the University of Oslo. The number of entries to
fetch in a row should be configurable, to match the limit of the LDAP
server used.
This problem do not affect the initgroups() call used when logging in,
so a user logging in will get all his groups defined at login time.
Happy hacking,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
