So in talking with Scott on irc, he brought up an important point-- it
is undesirable to add the additional nss_initgroups_okusers option if
upstream actually implements
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid in nss-ldap proper
(see upstream bug http://bugzilla.padl.com/show_bug.cgi?id=341). I think
the best course of action is for people interested in fixing this bug to
comment in the upstream bug about how
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid isn't always
enough, and there should be some sort of whitelist. At that point we can
evaluate the best way to move forward (and have a blessed config
option).
If they NAK it, we could theoretically still implement this feature in
nssldap-update-ignoreusers, with the understanding that nssldap-update-
ignoreusers would have to be updated when upstream implements
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid and only remove
users in nss_initgroups_okusers from nss_initgroups_ignoreusers rather
than trying to generate nss_initgroups_ignoreusers on the fly each time.
** Changed in: libnss-ldap (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/644632
Title:
nssldap-update-ignoreusers needs to be configurable to ignore users
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
