Subject: Netgroups on Solaris with nss_ldap - msg#00004

I ran into problems getting netgroups to work under Solaris. I checked
the openldap logs and found it seemed to be receiving queries like this:

filter: (&(objectClass=nisNetgroup)(|(?=undefined)(?=undefined)\
(?=undefined)(?=undefined)(?=undefined)(?=undefined)(?=undefined)\
(?=undefined)(?=undefined)(?=undefined)(?=undefined)(?=undefined)))

I added an fprintf to nss_ldap and found the query being sent was this:

(&(objectclass=nisNetgroup)(|(nisNetgroupTriple=\(machine,-,domain\))\
(nisNetgroupTriple=\(machine,-,\))(nisNetgroupTriple=\(machine,,\))\
(nisNetgroupTriple=\(,-,domain\))(nisNetgroupTriple=\(,-,\))\
(nisNetgroupTriple=\(machine,,domain\))(nisNetgroupTriple=\(,,domain\))\
(nisNetgroupTriple=\(,,\))))

I believe this has to do with the definition of nisNetgroupTriple in
nis.schema. The original definition is this:

attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
SYNTAX 1.3.6.1.1.1.0.0 )

If you change the definition to this:

attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

the query seems to work.

Oddly, nss_ldap on linux takes a different code path, so it doesn't run into
this problem:

#0 do_filter (args=0xbffff478, filterprot=0xb7e84ec0
"(&(objectclass=nisNetgroup)(cn=%s))",
sd=0xb7e83c4c, userbuf=0xbfffebb8 "(ñÿ¿\221Tÿ·ôðÿ¿$", userbufSiz=1024,
retFilter=0xbfffebb0)
at ldap-nss.c:1907
#1 0xb7e77ba9 in _nss_ldap_search_s (args=0xbffff478,
filterprot=0xb7e84ec0 "(&(objectclass=nisNetgroup)(cn=%s))",
sel=LM_NETGROUP, user_attrs=0x0,
sizelimit=1, res=0xbffff418) at ldap-nss.c:2678
#2 0xb7e780ea in _nss_ldap_getbyname (args=0xbffff478, result=0xbffff8fc,
buffer=0x0, buflen=0,
errnop=0xbffff4a4, filterprot=0xb7e84ec0
"(&(objectclass=nisNetgroup)(cn=%s))",
sel=LM_NETGROUP, parser=0xb7e7af51 <_nss_ldap_load_netgr>) at
ldap-nss.c:3017
#3 0xb7e7b34e in _nss_ldap_setnetgrent (group=0xbffffb58 "netgroup",
result=0xbffff8fc)
at ldap-netgrp.c:370
#4 0xb7f8a54f in innetgr () from /lib/tls/libc.so.6
#5 0x08048476 in main (argc=3, argv=0xbffff9e4) at n.c:18

On Solaris, do_filter is called via this path:

#0 do_filter (args=0xffbef4b0, filterprot=0x0, sd=0xff25c7ac,
userbuf=0xffbeeb80 "", userbufSiz=1024,
retFilter=0xffbeeb78) at ldap-nss.c:1907
#1 0xff23955c in _nss_ldap_search (args=0xffbef4b0, filterprot=0x0,
sel=LM_NETGROUP, user_attrs=0x0,
sizelimit=0, msgid=0xffbef408, csd=0x21d8c) at ldap-nss.c:2782
#2 0xff2397cc in _nss_ldap_getent_ex (args=0xffbef4b0, ctx=0xffbef4ac,
result=0xffbef558, buffer=0x0,
buflen=0, errnop=0xffbef564, filterprot=0x0, sel=LM_NETGROUP,
user_attrs=0x0,
parser=0xff23e87c <do_parse_innetgr>) at ldap-nss.c:2955
#3 0xff23ec40 in do_innetgr (li_args=0xffbef558, machine=0xffbef93c
"machine", user=0x10850 "-", domain=0x0)
at ldap-netgrp.c:753
#4 0xff23efd0 in _nss_ldap_innetgr (be=0x21d58, _args=0xffbef664) at
ldap-netgrp.c:847
#5 0xff2c9818 in nss_search () from /usr/lib/libc.so.1
#6 0xff2bb444 in __multi_innetgr () from /usr/lib/libc.so.1
#7 0xff2bb4a8 in innetgr () from /usr/lib/libc.so.1
#8 0x00010744 in main (argc=3, argv=0xffbef7cc) at n.c:18

The flag args->la_type == LA_TYPE_STRING on Linux, and LA_TYPE_TRIPLE on
Solaris.

The filter on Linux is

(&(objectclass=nisNetgroup)(cn=netgroup))

I'm kind of new to LDAP, so this might not be the best way to go about it,
but changing the definition seems to work.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@xxxxxxxxxxxx http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------