On Tue, 2011-01-18 at 19:36 +1100, Trent W. Buck wrote: > RFC2307 (nis.schema) doesn't require a passwordAccount object to set > any loginShell. For such an account, PADL falls back to /bin/sh, but > this implementation falls back to "\n", which obviously is not useful.
That is strange, I cannot reproduce this. On my systems I get an empty
string (which is expected behaviour). I have no idea what could produce
a newline.
Which version of libnss-ldapd and nslcd are you using? Are you using
nscd/unscd? What kind of directory server are you using?
> I would like it to default to /bin/sh. If you're feeling especially
> paranoid, I would at least like it to default to (say) /bin/false, so
> that I don't have spurious blank lines in my getent output.
You can implement a default for this option with
map passwd loginShell "${loginShell:-/bin/sh}"
> PS: yes, I know my password hashes are visible to anonymous users.
> This is a scratch network and my olcAccess rules are temporarily too
> permissive.
The 0.8 series will by default to map the userPassword attribute to "*"
and you will have to configure nslcd explicitly to return password
hashes so that will at least limit this problem somewhat.
--
-- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
