From owner-freebsd-current@FreeBSD.ORG Thu May 15 07:01:51 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC3D737B401 for ; Thu, 15 May 2003 07:01:51 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8E4543F75 for ; Thu, 15 May 2003 07:01:50 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h4FE1YOn020752; Thu, 15 May 2003 10:01:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h4FE1Y8Q020749; Thu, 15 May 2003 10:01:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 15 May 2003 10:01:34 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Frank Bonnet In-Reply-To: <20030515145555.A2462@bart.esiee.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-current@freebsd.org Subject: Re: nss_ldap display UID/GID instead of login/group X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 14:01:52 -0000 On Thu, 15 May 2003, Frank Bonnet wrote: > I have a cosmetic problem on a 5.1-BETA-20030507-JPSNAP version using > nss_ldap ( installed from ports ) with openldap ( installed from ports > too ). > > I can login/ssh/imap etc etc using nns_ldap mechanism BUT when logged in > under a LDAP userid ( not a local one ) ls -l display UID and GID > instead of LOGIN and GROUP statement. This occurs because NSS relies on dynamically linking, and the binaries in /bin and /sbin are statically linked; right now, we don't support dynamic loading of shared objects by statically linked binaries. You'll notice that tcsh tab completion of usernames doesn't work, and getfacl/setfacl don't "speak" users who aren't NIS, HESIOD, or local password files (these modules are included in libc, so get statically linked into the builds of these binaries). The work-around is to statically link the libaries necessary for LDAP into your /bin and /sbin binaries that need them. The solution is to run with a fully dynamic tree, and Gordon Tetlow is working on a patchset to do this. Some might suggest teaching static binaries how to load dynamic objects, but that has some of its own limitations. You can run with a fully dynamic tree today as long as /usr is on the same partition as / so that /bin and /sbin can find their shared libraries. To do this, remove the NOSHARED line from bin/Makefile.inc and sbin/Makefile.inc. This will cause binaries in those directories to be built dynamically linked next time you buildworld. A word of caution: one of the primary reasons this is more complicated than it sounds is the risk factor if something goes wrong: today, /bin and /sbin work even if you muck up your shared libraries somehow. If they're linked dynamically, they won't :-). Part of Gordon's work is to reproduce what NetBSD has in the form of /rescue: a directory not unlike our /stand today which holds crunched/static versions of /bin and /sbin for recovery purposes. I expect he'll post his patches for public review in a few weeks, with the intention to merge support for this functionality after 5.1. In the mean time, a local build will do the trick if you are willing to set up the partitions so that the shared libraries are easily found by /bin and /sbin. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories