tags 472872 + pending thanks First of all to reply to your earlier mail, reporting bugs is fine for me and makes it easy to track.
On Thu, 2008-03-27 at 10:24 +1100, Alex Samad wrote: > Seems like libnss-ldapd checks for object class by reading a > ldapobject in and then checking the objectclass attribute for a > specific record. On my ldap setup I do not allow for objectclass to be > read by any user, you can search. This causes this error to appear in > my syslog numerious times. > > The code is in > myldap_has_objectclass in myldap.c The reason that nss-ldapd does a lookup for the objectClass for each user entry is to not return a password information if it is of type shadowAccount (it tries to return it with shadow instead). In any case exposing password hashes through NSS is a bad idea and not really needed for anything with pam_ldap. Anyway, I've removed the warning message in svn and it shouldn't fill up your logs with the next release. (the warning message did not really add much to the functionality) > I would presume a change to doing a ldapsearch and tresting for a > positive result would be the solution (and I presume this is a lot > more expensive than checking the attributes array) That would be a solution but not something I would want to implement. If it were some sort of search already I could add it but since this is an attribute lookup like any other. By the way, is there any specific reason why you don't want to allow lookups of objectClass of any entries? -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
