tags 610925 + pending thanks On Mon, 2011-01-24 at 01:49 +0100, Luca Capello wrote: > 1) 'host=*' is not honoured > > I am not an LDAP expert and I could not find any documentation > (authoritative or not) about the accepted values for this LDAP > attribute, so I do not know who is at fault here.
I don't think the option is standardized anywhere. RFC 1274 (which defines the attribute) does not describe it's use and the "Using LDAP as a Network Information Service" Internet Draft does not describe PAM. > As you can see, nslcd removes the escape and the correct results is > obtained with a double escape in nslcd.conf: > > (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=\\*))) The example filter in the manual page only filtered if the host attribute was set (it would allow any access if the attribute was not set). I've updated the manual page. > I could not find any documentation about escaping in the > pam_authz_search filter... I've added a note to the manual page about escaping. > 2) the variable $hostname contains the value of `hostname` and not the > FQDN like with PADL's pam_ldap, thus a tricky filter must be used: > > (&(objectClass=posixAccount)(uid=$username)\ > (|(host=$hostname)(host=$hostname.$DOMAIN)(!(host=*)))) I've implemented a $fqdn variable that can be used (will be in the next release). > BTW, I was expecting any PAM-related output to be in /var/log/auth.log, > until I realized that nslcd logs to /var/log/syslog. nslcd logs to /var/log/syslog but if the PAM module logs anything it should be in /var/log/auth.log. This may be a bit confusing when looking for PAM-related problems but I think it is less confusing than logging part of nslcd to /var/log/auth.log. Anyway, thanks for pointing this out. The changes will be in the next development release (0.8.1). -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
