On Thu, Jan 28, 2010 at 09:37:07PM +0100, Arthur de Jong wrote: > On Wed, 2010-01-27 at 21:39 +1100, Alex Samad wrote: > > I am getting > > > > nslcd[4724]: [8d6a35] entry uid=alex,ou=People,dc=samad,dc=com,dc=au > > contains multiple cn values > > > > because by object has multiple cn's which is allowed for this object > > class. I was wondering if maybe the best way to handle this is to > > either take the cn from the DN, or two create multiple records one for > > each cn ? > > The problem with returning multiple records is that this will confuse > some applications (it is known to confuse Glibc's nscd). Also, in the > end the NSS part will only return one entry for direct name lookups > (e.g. getent passwd alex will only return one row).
Yeah I thought as much > > For some object classes nslcd already looks at the DN to see the > preferred name (e.g. hostnames, the other entries are taken as aliases) > but for usernames I think this will only cause confusion. By default > nslcd only uses the cn attribute if the gecos attribute isn't set (and > uses the first attribute value it finds). the order though is arbitrary but I guess that the best that can be done > > What is on the TODO list is to implement rate-limiting for the above > messages. Something like only log a certain complaint on a certain DN > once in 15 minutes. This however needs some more thought because for a > system with a lot of problematic entries this would result in a lot of > log messages anyway. or maybe a flag to turn it off ? > > Anyway, thanks for your email and thanks for using nss-pam-ldapd. cool package - better than the other one :) > -- BOFH excuse #85: Windows 95 undocumented "feature"
signature.asc
Description: Digital signature
