Original issue 18 created by jaqx0r on 2009-01-28T03:34:23.000Z:

Technically, this is not a bug. The relevant RFCs do not specify that the
entries returned should be in any particular order, but for my specific
application we require that the order that the entries are returned from
LDAP is preserved in the nsscache output.

I've crafted a fairly minor patch that adds an index to the base map class,
and uses this to preserve the entry ordering to the output. You may wish to
add this to a "contrib" directory or similar as someone out there may find
it useful.

Original issue 2 created by jaqx0r on 2008-01-25T21:20:09.000Z:

Hi,

Each file contains #!/usr/bin/python2.4 at the top.
This prevent nsscache from running in other python versions.

This line is also not needed for all files under the site-packages directory, since they're not meant
to be executed directly, but included as modules.

Need a workaround for ldap.SIZELIMIT_EXCEEDED, unless one already exists.

I found a couple suggestions poking around online, but haven't gotten anything working yet.

Error output:

$ sudo nsscache update --full
ERROR:Update:Source map empty during full update, aborting. Use --force-write to override.
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Users', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Users', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Users', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Computers', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Controllers', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Computers', overwritten
WARNING:GroupMap:duplicate key detected when adding to map: 'Domain Controllers', overwritten
Traceback (most recent call last):
  File "/usr/local/bin/nsscache", line 33, in <module>
    return_value = nsscache_app.Run(sys.argv[1:], os.environ)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/app.py", line 240, in Run
    retval = command_callable().Run(conf=conf, args=args)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 230, in Run
    force_lock=options.force_lock)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 303, in UpdateMaps
    force_write=force_write)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource
    force_write, location=None)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource
    location=location)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/source.py", line 67, in GetMap
    return self.GetGroupMap(since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 309, in GetGroupMap
    since=since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 503, in GetUpdates
    for obj in source:
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 229, in __iter__
    timeout=self.conf['timelimit'])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
ldap.SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'}

Original issue 32 created by jaqx0r on 2014-05-14T22:59:12.000Z:

What version of the product are you using? On what operating system?
nsscache-0.23

Please provide any additional information below.
Wanted something that will spit out sshpublickey from LDAP and authorizedkeycommand from sshd can look up.

Thought it would be nice to have if someone wants to. verify doesnt work though.

Original issue 9 created by jaqx0r on 2008-07-21T18:42:10.000Z:

fix typo in makefile

Original issue 4 created by jaqx0r on 2008-03-05T19:15:37.000Z:

It would be nice to have a small wiki page which details how to install nsscache and also how to set
up and run the tests.

Original issue 35 created by jaqx0r on 2014-09-07T11:30:21.000Z:

What steps will reproduce the problem?

1. /etc/nsscache.conf
   [DEFAULT]
   source = ldap
   cache = files
   maps = passwd, group, shadow, sshkey
   timestamp_dir = /var/lib/nsscache
   ldap_uri = ldap://ldap1
   ldap_base = dc=domain,dc=de
   ldap_filter = (objectclass=posixAccount)
   ldap_bind_dn = "cn=Manager,dc=domain,dc=de"
   ldap_bind_password = "password"

nssdb_dir = /var/lib/misc
files_dir = /etc
files_cache_filename_suffix = cache

[passwd]
ldap_base = ou=People,dc=domain,dc=de

[group]
ldap_base = ou=Groups,dc=domain,dc=de
ldap_filter = (objectclass=posixGroup)

[shadow]
ldap_base = ou=People,dc=domain,dc=de
ldap_filter = (objectclass=shadowAccount)

[sshkey]
ldap_base = ou=People,dc=domain,dc=de
ldap_filter = (objectclass=ldapPublicKey)

1. Run nsscache update -f

What is the expected output? What do you see instead?

Expected:
(mm1) [~] getent passwd thglanzm
thglanzm:x:10074:10074:Thomas Glanzmann:/home/thglanzm:/bin/bash

Instead:

(mm1) [~] getent passwd thglanzm
thglanzm:*:10074:10074:Thomas Glanzmann:/home/thglanzm:/bin/bash

What version of the product are you using? On what operating system?

The issue happens only with git head, but not with the last release
because there the passwd password field was hard coded to 'x'. But that has changed.

Please provide any additional information below.

I wrote a small patch which sets the password field in the passwd to 'x' with a userPassword exists and begins with {crypt}

Original issue 20 created by jaqx0r on 2010-05-04T02:49:01.000Z:

Please take a look at the attached patch, it also includes a brief description.
Thanks

Original issue 38 created by jaqx0r on 2015-02-25T15:52:42.000Z:

What steps will reproduce the problem?

1. sudo nsscache -v update -f

What is the expected output? What do you see instead?
expected is syncing my ssha passwords in ldap
I see instead:
INFO:root:Ignored password that was not in crypt format

What version of the product are you using? On what operating system?
version 0.23-2 ubuntu 64bit

Please provide any additional information below.
in ldapsource.py 641-644:

if passwd[:7].lower() == '{crypt}':
shadow_ent.passwd = passwd[7:]
else:
logging.info('Ignored password that was not in crypt format')

So nsscache allows only sync for crypt passwords. Is it possible to use ssha passwords too?

Original issue 24 created by jaqx0r on 2011-09-06T06:48:46.000Z:

We're using MS SFU and some of the field names in ldap seems to differ from other solutions. Attached is a patch to rename those, the more appropriate way is probably to switch between them with a config option or similar.

What steps will reproduce the problem?

1. Install MS SFU on a Windows 2008 server
2. Configure nsscache to lookup against it
   3.

What is the expected output? What do you see instead?
Errors like:
ValueError: time data '20110901063143.0Z' does not match format '%Y%m%d%H%M%SZ'
obj_ts = self.FromLdapToTimestamp(obj['modifyTimestamp'][0])
KeyError: 'modifyTimestamp'
raise ValueError('Invalid object passed: %r', field)
ValueError: ('Invalid object passed: %r', 'homeDirectory')

The last one was patched in source to display field name instead of obj

What version of the product are you using? On what operating system?
0.21.14 on ubuntu 10.04 lts

Please provide any additional information below.

The example AuthorizedKeysCommand has a security bug: It uses an awk regex compare to find the sshkey from the username.

Consider the dataset of:

rob:key
robbat2:key
grobian:key

An input of rob to the example command will return the keys for all 3 users. The AWK match should be an exact match instead of substring/regex.

The present AuthorizedKeysHelper removes the following characters/strings:

• "[" (left square bracket)
• "]" (right square bracket)
• "'" (single quote)
• "," (comma followed by space [not rendered correctly by markdown])
• ":" (colon, removed implicitly by awk)

All of them ARE valid if an SSH key is preceded by an options string:
from="1.2.3.4,[2001:db8::/64]" ssh-rsa AAAA...
command="/usr/local/foo --arg1='a, b' " ssh-rsa AAAA...

There are two potential solutions:

1. Keep the sshkey.cache format the same, only improve the script (A python rewrite perhaps)
2. Write out one sshkey per line, instead of an array as the second element; and improve the script. This has a side benefit of working better with the existing script.

We saw some "weirdness" (random crashes in an unrelated app's pthread locks) after loading this on one box.

I'm wondering if the symbol visibility is somehow causing trouble. I notice other libnss implementations use libtool and export only the bare minimum symbols.

If I port the current makefile to autotools and libtool, would you accept the PR?

Original issue 1 created by jaqx0r on 2007-11-20T22:39:56.000Z:

I just installed nsscache, and on the first run I get this error:

WARNING:NssDbGroupHandler:Local cache is missing, faulting to a full sync.
Traceback (most recent call last):
File "/usr/bin/nsscache", line 30, in ?
sys.exit(app.NssCacheApp().Run(sys.argv[1:], os.environ))
File "/usr/lib/python2.4/site-packages/nss_cache/app.py", line 219, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib/python2.4/site-packages/nss_cache/command.py", line 227,
in Run
force_lock=options.force_lock)
File "/usr/lib/python2.4/site-packages/nss_cache/command.py", line 265,
in UpdateMaps
force_write=force_write)
File "/usr/lib/python2.4/site-packages/nss_cache/caches/base.py", line
294, in Update
if len(cache_map) == 0:
UnboundLocalError: local variable 'cache_map' referenced before assignment

Currently the code seems to assume that the value of a member attribute is the DN of a user, and treats the RDN as the uid (even if it happens to be called cn and ldap_uidattr is unset, and even if the LDAP member entity doesn't have the posixAccount objectClass, which I'd say is a bug).

Under rfc2307bis, group members can also be groups; libnss-ldap also supports this.

I think nsscache should perform a transitive closure on the groups it obtains from LDAP. I wrote a shell script that does this, as a proof of concept; it's a bit crude, but it works. It allows arbitrary group nesting (even across groups that don't have the posixGroup objectClass). It doesn't prevent infinite recursion though, and it's very slow.

Ironically, getent group gets it right if nss is configured to use libnss-ldap, so that instead of running nsscache, we could just use getent -- if that wouldn't defeat the purpose of using nss-cache. :)

#!/bin/zsh
#
# Purpose: get groups from LDAP recursively and extract their members.

typeset -A isgroup
typeset -A isposixgroup
typeset -A members # Contains DNs
typeset -A memberuids
typeset -A processed_DNs
typeset -A uids
typeset -A groups
typeset -A memberfilter

GROUPBASE="$1"
GROUPFILTER="$2"        # only print groups matching this filter; use objectClass=posixGroup
MEMBERFILTER="$3"       # only print members matching this filter; use objectClass=posixAccount

function process_ldapsearch() {
        local currentdn=""
        local memberdn=""
        local memberuid=""
        while read attrib val; do case "$attrib $val" in
                dn:*)
                        currentdn="$val"
                        ;;
                objectClass:\ groupOfNames)
                        isgroup[$currentdn]=1
                        ;;
                objectClass:\ posixGroup)
                        isposixgroup[$currentdn]=1
                        ;;
                member:\ *)
                        memberdn="$val"
                        # Do we already have this member in the current group? If not, add it.
                        [[ "$members[$currentdn]" =~ \b${memberdn}\b ]] || members[$currentdn]="$members[$currentdn] $memberdn"
                        [[ "${memberdn/,$GROUPBASE/}" = "${memberdn}" ]] && # Is this member located directly under our specified GROUPBASE dn?
                                [[ "${memberdn/uid=/}" = "${memberdn}" ]] && { # Process members that are outside our search base and that are not obviously users
                                [[ $processed_DNs[$memberdn] = "" ]] && ldapsearch -LLL -x -o ldif-wrap=no -b "${memberdn}" | process_ldapsearch
                                processed_DNs[$memberdn]=1
                        }
                        ;;
                memberUid:*)
                        memberuid="$val"
                        # Do we already have this member in the current group? If not, add it.
                        [[ "$memberuids[$currentdn]" =~ \b$memberuid\b ]] || memberuids[$currentdn]="$memberuids[$currentdn] $memberuid"
                        ;;
                *)
                        ;;
        esac; done
}

function memberfilter_match() {
        [[ -z "$MEMBERFILTER" ]] && return 0
        [[ -n "$memberfilter[$1]" ]] && return $memberfilter[$1]
        if [[ $(ldapsearch -s base -LLL -x -o ldif-wrap=no -b "$i" "($MEMBERFILTER)" dn) = "dn: $i" ]]; then
                memberfilter[$1]="0"
        else
                memberfilter[$1]="1"
        fi
        return $memberfilter[$1]
}

function getmembers() {
        local group=$1
        local -A curmembers
        local i
        local j
        for i in ${(z)members[$group]}; do
                if (( ${+isgroup[$i]} || ${+isposixgroup[$i]} )); then
                        for j in $(getmembers $i); do
                                curmembers[$j]=1
                        done
                else
                        if memberfilter_match $i; then
                                i=${i/uid=/}
                                i=${i/,*/}
                                curmembers[$i]=1
                        fi
                fi
        done
        for i in ${(z)memberuids[$group]}; do
                curmembers[$i]=1
        done
        echo ${(k)curmembers}
        return 0;
}

# main()
ldapsearch -LLL -x -b "$GROUPBASE" -o ldif-wrap=no | process_ldapsearch

# Merge the list of posixGroups and groupOfNames groups; the keys of the groups hash will form a list of all groups
for group in ${(k)isposixgroup} ${(k)isgroup}; do
        groups[$group]=1
done

for group in ${(k)groups}; do
        if [[ -z "$GROUPFILTER" ]] || [[ $(ldapsearch -s base -LLL -x -b "$group" -o ldif-wrap=no "($GROUPFILTER)" dn) = "dn: $group" ]] then
                groupname=${group/cn=/}
                if ! [[ "${groupname/,$GROUPBASE/}" = "${groupname}" ]]; then   # Was this particular group inside our search base or outside it?
                        groupname=${groupname/,*/}
                        echo $groupname $(getmembers $group | tr ' ' '\n' | sort | tr '\n' ' ')
                fi
        fi
done

Original issue 21 created by jaqx0r on 2010-05-05T12:52:54.000Z:

What steps will reproduce the problem?

1. nsscache update --full

What is the expected output? What do you see instead?
It should do a full update.

CRITICAL:NSSCacheApp:Traceback (most recent call last):
CRITICAL:NSSCacheApp: File "/usr/bin/nsscache", line 33, in <module>
return_value = app.Run(sys.argv[1:], os.environ)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/app.py", line 226, in Run
retval = command_callable().Run(conf=conf, args=args)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 229, in Run
force_lock=options.force_lock)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 272, in
UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 278, in
UpdateFromSource
force_write, location=None)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 318, in
UpdateCacheFromSource
return_val += self.FullUpdateFromMap(cache, source_map, force_write)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 380, in
FullUpdateFromMap
raise error.EmptyMap('Source map empty during full update, aborting. '
CRITICAL:NSSCacheApp:EmptyMap: Source map empty during full update,
aborting. Use --force-write to override.
Traceback (most recent call last):
File "/usr/bin/nsscache", line 33, in <module>
return_value = app.Run(sys.argv[1:], os.environ)
File "/usr/lib64/python2.6/site-packages/nss_cache/app.py", line 226, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 229,
in Run
force_lock=options.force_lock)
File "/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 272,
in UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 278,
in UpdateFromSource
force_write, location=None)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 318,
in UpdateCacheFromSource
return_val += self.FullUpdateFromMap(cache, source_map, force_write)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 380,
in FullUpdateFromMap
raise error.EmptyMap('Source map empty during full update, aborting. '
nss_cache.error.EmptyMap: Source map empty during full update, aborting.
Use --force-write to override.

And with --force-write:

CRITICAL:NSSCacheApp:Traceback (most recent call last):
CRITICAL:NSSCacheApp: File "/usr/bin/nsscache", line 33, in <module>
return_value = app.Run(sys.argv[1:], os.environ)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/app.py", line 226, in Run
retval = command_callable().Run(conf=conf, args=args)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 229, in Run
force_lock=options.force_lock)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 272, in
UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 278, in
UpdateFromSource
force_write, location=None)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 318, in
UpdateCacheFromSource
return_val += self.FullUpdateFromMap(cache, source_map, force_write)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 383, in
FullUpdateFromMap
return_val = cache.WriteMap(map_data=new_map)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/caches/base.py", line 228, in
WriteMap
if self.Verify(entries_written):
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.6/site-packages/nss_cache/caches/files.py", line 109,
in Verify
raise error.EmptyMap
CRITICAL:NSSCacheApp:EmptyMap
Traceback (most recent call last):
File "/usr/bin/nsscache", line 33, in <module>
return_value = app.Run(sys.argv[1:], os.environ)
File "/usr/lib64/python2.6/site-packages/nss_cache/app.py", line 226, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 229,
in Run
force_lock=options.force_lock)
File "/usr/lib64/python2.6/site-packages/nss_cache/command.py", line 272,
in UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 278,
in UpdateFromSource
force_write, location=None)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 318,
in UpdateCacheFromSource
return_val += self.FullUpdateFromMap(cache, source_map, force_write)
File "/usr/lib64/python2.6/site-packages/nss_cache/update.py", line 383,
in FullUpdateFromMap
return_val = cache.WriteMap(map_data=new_map)
File "/usr/lib64/python2.6/site-packages/nss_cache/caches/base.py", line
228, in WriteMap
if self.Verify(entries_written):
File "/usr/lib64/python2.6/site-packages/nss_cache/caches/files.py", line
109, in Verify
raise error.EmptyMap
nss_cache.error.EmptyMap

What version of the product are you using? On what operating system?
0.8.3 and 0.8.8.
Gentoo Linux.

Please provide any additional information below.
nsscache update or verify works fine its just the full update which fails.

We use uniqueMember attribute to identify group membership and was an alternate (maybe earlier) method in the draft rfc2307bis specification (the member attribute is already supported). It seems the rfc2307bis is now an expired specification.

I had originally made the changes before I saw the new support for the other rfc2307bis member attribute and had approached it slightly differently. I wanted to query the DN for each uniqueMember in a group to get the uid, rather than assume the cn and uid are the same. This is performed in a new function called PostProcess. For example my first attempt at merging my old code to the new version in commit 8b4cc22 and is untested currently (but the previous version worked fine so the idea works).

We may be able to just use the current member method (and just change it to also support uniqueMember) but comments welcome whether my approach has any merit where uid and cn do not have to be identical.

Original issue 30 created by jaqx0r on 2013-09-22T10:57:08.000Z:

What steps will reproduce the problem?

1. A properly configured /etc/nsscache.conf with ldap_bind_password = "12345" in it

2. nsscache update

What is the expected output? What do you see instead?

Expected normal behavior. Got this error instead:

Traceback (most recent call last):
File "/usr/sbin/nsscache", line 33, in <module>
return_value = nsscache_app.Run(sys.argv[1:], os.environ)
File "/usr/lib/pymodules/python2.7/nss_cache/app.py", line 242, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib/pymodules/python2.7/nss_cache/command.py", line 383, in Run
errors += self.VerifySources(conf)
File "/usr/lib/pymodules/python2.7/nss_cache/command.py", line 485, in VerifySources
source = source_factory.Create(source_options)
File "/usr/lib/pymodules/python2.7/nss_cache/sources/source_factory.py", line 90, in Create
return _source_implementationssource_name
File "/usr/lib/pymodules/python2.7/nss_cache/sources/ldapsource.py", line 89, in init
self.Bind(conf)
File "/usr/lib/pymodules/python2.7/nss_cache/sources/ldapsource.py", line 145, in Bind
cred=configuration['bind_password'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 831, in simple_bind_s
res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,_args,__kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 812, in _apply_method_s
return func(self,_args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 207, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 201, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
result = func(*args,**kwargs)
TypeError: must be string or read-only buffer, not int

What version of the product are you using? On what operating system?

mint 15 xfce (olivia), nsscache 0.21.19-1 installed via apt-get from ubuntu repos.

Please provide any additional information below.

It seems FixValue is applied on the ldap_bind_password config option, which turns it into an integer, which is then rejected by simple_bind_s at ldapsource.py.

Suggested patch/workaround attached, casts configuration['bind_password'] to a string before passing on to simple_bind_s.

Original issue 29 created by jaqx0r on 2013-09-14T22:52:20.000Z:

What steps will reproduce the problem?

1. nsscache update

2. ls -l /var/lib/misc/shadow.db

What is the expected output? What do you see instead?

Shouldn't shadow.db be chmodded 0640 after nsscache update? A simple '$ strings /var/lib/misc/shadow.db' reveals (crypt'ed) passwords.

What version of the product are you using? On what operating system?

mint 15 (olivia) xfce, nsscache version 0.21.19-1

Original issue 11 created by jaqx0r on 2008-07-30T14:08:56.000Z:

It would be good if the .cache files produced were sorted in order as this
makes checking and reading them easier. For example uid 500 before 501.

Thanks

Original issue 17 created by jaqx0r on 2009-01-21T01:47:00.000Z:

Using nsscache on RHEL4 x86_64 with Python 2.3 and the patch to make
nsscache work with Python 2.3.

Here I performed a full update and quite frequently I get this error.

CRITICAL:NSSCacheApp:Traceback (most recent call last):
CRITICAL:NSSCacheApp: File "/usr/bin/nsscache", line 33, in ?
return_value = app.Run(sys.argv[1:], os.environ)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/app.py", line 232, in Run
retval = command_callable().Run(conf=conf, args=args)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/command.py", line 229, in Run
force_lock=options.force_lock)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/command.py", line 272, in
UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/update.py", line 278, in
UpdateFromSource
force_write, location=None)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/update.py", line 317, in
UpdateCacheFromSource
location=location)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/sources/base.py", line 115, in
GetMap
return self.GetPasswdMap(since)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py", line
220, in GetPasswdMap
since=since)
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py", line
423, in GetUpdates
for obj in source:
CRITICAL:NSSCacheApp: File
"/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py", line
183, in iter
timeout=self.conf['timelimit'])
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 392, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 398, in result2
return self._ldap_call(self._l.result2,msgid,all,timeout)
CRITICAL:NSSCacheApp: File
"/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call
result = func(args,*kwargs)
CRITICAL:NSSCacheApp:TIMELIMIT_EXCEEDED: {'info': '', 'desc': 'Time limit
exceeded'}
Traceback (most recent call last):
File "/usr/bin/nsscache", line 33, in ?
return_value = app.Run(sys.argv[1:], os.environ)
File "/usr/lib/python2.3/site-packages/nss_cache/app.py", line 232, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib/python2.3/site-packages/nss_cache/command.py", line 229,
in Run
force_lock=options.force_lock)
File "/usr/lib/python2.3/site-packages/nss_cache/command.py", line 272,
in UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental,
force_write=force_write)
File "/usr/lib/python2.3/site-packages/nss_cache/update.py", line 278, in
UpdateFromSource
force_write, location=None)
File "/usr/lib/python2.3/site-packages/nss_cache/update.py", line 317, in
UpdateCacheFromSource
location=location)
File "/usr/lib/python2.3/site-packages/nss_cache/sources/base.py", line
115, in GetMap
return self.GetPasswdMap(since)
File "/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py",
line 220, in GetPasswdMap
since=since)
File "/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py",
line 423, in GetUpdates
for obj in source:
File "/usr/lib/python2.3/site-packages/nss_cache/sources/ldapsource.py",
line 183, in iter
timeout=self.conf['timelimit'])
File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 392,
in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 398,
in result2
return self._ldap_call(self._l.result2,msgid,all,timeout)
File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 94, in
_ldap_call
result = func(args,*kwargs)
ldap.TIMELIMIT_EXCEEDED: {'info': '', 'desc': 'Time limit exceeded'}

Original issue 13 created by jaqx0r on 2008-08-01T21:02:29.000Z:

nsscache doesn't handle LDAP errors very gracefully at the moment.

For example, I made a typo in my group base dn, and instead of an error message that it was
incorrect I got this output:

CRITICAL:NSSCacheApp:Traceback (most recent call last):
CRITICAL:NSSCacheApp: File "/usr/bin/nsscache", line 33, in ?
return_value = app.Run(sys.argv[1:], os.environ)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/app.py", line 219,
in Run
retval = command_callable().Run(conf=conf, args=args)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/command.py",
line 228, in Run
force_lock=options.force_lock)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/command.py",
line 271, in UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental, force_write=force_write)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/update.py", line
216, in UpdateFromSource
force_write, location=None)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/update.py", line
254, in UpdateCacheFromSource
location=location)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/nss_cache/sources/base.py",
line 117, in GetMap
return self.GetGroupMap(since)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-
packages/nss_cache/sources/ldapsource.py", line 236, in GetGroupMap
since=since)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-
packages/nss_cache/sources/ldapsource.py", line 423, in GetUpdates
for obj in source:
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-
packages/nss_cache/sources/ldapsource.py", line 183, in iter
timeout=self.conf['timelimit'])
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line
405, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line
409, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line
415, in result3
rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout)
CRITICAL:NSSCacheApp: File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94,
in _ldap_call
result = func(args,*kwargs)
CRITICAL:NSSCacheApp:NO_SUCH_OBJECT: {'info': '', 'matched': 'dc=mycompany,dc=com', 'desc':
'No such object'}
Traceback (most recent call last):
File "/usr/bin/nsscache", line 33, in ?
return_value = app.Run(sys.argv[1:], os.environ)
File "/usr/lib64/python2.4/site-packages/nss_cache/app.py", line 219, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib64/python2.4/site-packages/nss_cache/command.py", line 228, in Run
force_lock=options.force_lock)
File "/usr/lib64/python2.4/site-packages/nss_cache/command.py", line 271, in UpdateMaps
retval = updater.UpdateFromSource(source, incremental=incremental, force_write=force_write)
File "/usr/lib64/python2.4/site-packages/nss_cache/update.py", line 216, in
UpdateFromSource
force_write, location=None)
File "/usr/lib64/python2.4/site-packages/nss_cache/update.py", line 254, in
UpdateCacheFromSource
location=location)
File "/usr/lib64/python2.4/site-packages/nss_cache/sources/base.py", line 117, in GetMap
return self.GetGroupMap(since)
File "/usr/lib64/python2.4/site-packages/nss_cache/sources/ldapsource.py", line 236, in
GetGroupMap
since=since)
File "/usr/lib64/python2.4/site-packages/nss_cache/sources/ldapsource.py", line 423, in
GetUpdates
for obj in source:
File "/usr/lib64/python2.4/site-packages/nss_cache/sources/ldapsource.py", line 183, in
iter
timeout=self.conf['timelimit'])
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 405, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 409, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 415, in result3
rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout)
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call
result = func(args,*kwargs)
ldap.NO_SUCH_OBJECT: {'info': '', 'matched': 'dc=mycompany,dc=com', 'desc': 'No such object'}

It makes it quite difficult to ascertain what the problem is, especially since the problem was not
the dc=mycompany,dc=com but the fact that I had used ou=groups,dc=mycompany,dc=com
instead of cn=groups,dc=mycompany,dc=com.

It would be nice if it had a simple error message instead of a stack dump, and even nicer if it
identified which setting was incorrect.

Original issue 15 created by jaqx0r on 2008-11-12T03:34:48.000Z:

There are a number of 2.4isms in the codebase, and the attached patch
removes them. I've tested that things still work under 2.4. The only
thing that isn't backwards-compatible is the removal of "import
subprocess". I don't know what to do about that -- since I don't use the
db backend (didn't work for me at all well under 2.4, and it's apparently
slower anyway) I have to say my care factor is minimal. nsscache verify
needs to spawn a process to verify shadow maps, though (well done to
Python for not having a shadow library), but I'm having trouble working out
what subprocess does that, say, popen3 couldn't do.

Original issue 3 created by jaqx0r on 2008-01-25T21:21:39.000Z:

Hi again,

The program is called nsscache, but the modules install under nss_cache.
This is inconsistent, and makes packagin harder.

Original issue 27 created by jaqx0r on 2012-06-27T00:14:13.000Z:

What steps will reproduce the problem?

1. Use nsscache on a system with glibc's new integrated db code (ex: Fedora 17)
2. Setup and run nsscache

What is the expected output? What do you see instead?

• after makedb is spawned off to create the db file, it later can't be opened by bsddb.btopen:

DEBUG:NssDbPasswdHandler:executing makedb: /usr/bin/makedb - /var/lib/misc/nsscache-cache-file-zuFOGl
DEBUG:NssDbPasswdHandler:17 entries written, 34 keys
DEBUG:NssDbPasswdHandler:verification started with /var/lib/misc/nsscache-cache-file-zuFOGl
udpate rmtree /var/lib/misc/nsscache-passwd-yAP1VQ
Traceback (most recent call last):
File "/bin/nsscache", line 33, in <module>
return_value = nsscache_app.Run(sys.argv[1:], os.environ)
File "/usr/lib/python2.7/site-packages/nss_cache/app.py", line 242, in Run
retval = command_callable().Run(conf=conf, args=args)
File "/usr/lib/python2.7/site-packages/nss_cache/command.py", line 235, in Run
force_lock=options.force_lock)
File "/usr/lib/python2.7/site-packages/nss_cache/command.py", line 307, in UpdateMaps
force_write=force_write)
File "/usr/lib/python2.7/site-packages/nss_cache/update/updater.py", line 256, in UpdateFromSource
force_write, location=None)
File "/usr/lib/python2.7/site-packages/nss_cache/update/map_updater.py", line 79, in UpdateCacheFromSource
return_val += self.FullUpdateFromMap(cache, source_map, force_write)
File "/usr/lib/python2.7/site-packages/nss_cache/update/map_updater.py", line 144, in FullUpdateFromMap
return_val = cache.WriteMap(map_data=new_map)
File "/usr/lib/python2.7/site-packages/nss_cache/caches/caches.py", line 212, in WriteMap
if force_write or self.Verify(entries_written):
File "/usr/lib/python2.7/site-packages/nss_cache/caches/nssdb.py", line 214, in Verify
db = bsddb.btopen(self.temp_cache_filename, 'r')
File "/usr/lib64/python2.7/bsddb/init.py", line 381, in btopen
d.open(file, db.DB_BTREE, flags, mode)
bsddb.db.DBInvalidArgError: (22, 'Invalid argument -- __db_meta_setup: /var/lib/misc/nsscache-cache-file-zuFOGl: unexpected file type or format')

What version of the product are you using? On what operating system?

nsscache-0.21.17

# rpm -qf `which makedb`
glibc-common-2.15-37.fc17.x86_64

Fedora release 17 (Beefy Miracle)


<b>Please provide any additional information below.</b>

See https://bugzilla.redhat.com/show_bug.cgi?id=834912 for more info, and a &quot;working as intended&quot; response.

Original issue 19 created by jaqx0r on 2010-04-26T12:07:55.000Z:

What steps will reproduce the problem?

1. Attempt to use nsscache against an LDAP infrastructure that requires TLS
   for all clients.
2. Get errors.
   3.

What is the expected output? What do you see instead?
I expect to be able to add a TLS flag to /etc/nsscache.conf and have
nsscache use TLS.

What version of the product are you using? On what operating system?
nss-cache-0.8.3 on Gentoo Linux.

Please provide any additional information below.

Original issue 34 created by jaqx0r on 2014-09-07T08:33:27.000Z:

What steps will reproduce the problem?
1.Group definition in LDAP
dn: cn=thglanzm,ou=Groups,dc=domain,dc=de
objectClass: posixGroup
cn: thglanzm
gidNumber: 10074
memberUid: uid=thglanzm,ou=People,dc=domain,dc=de
structuralObjectClass: posixGroup
entryUUID: f3fffb3c-8994-1033-82c3-d574d9524b6e
creatorsName: cn=manager,dc=domain,dc=de
createTimestamp: 20140616112732Z
entryCSN: 20140616112732.904794Z# 000000# 000# 000000
modifiersName: cn=manager,dc=domain,dc=de
modifyTimestamp: 20140616112732Z

1. Nsscache Configuration:
   [DEFAULT]
   source = ldap
   cache = files
   maps = passwd, group, shadow, sshkey
   timestamp_dir = /var/lib/nsscache
   ldap_uri = ldap://ldap1
   ldap_base = dc=domain,dc=de
   ldap_filter = (objectclass=posixAccount)
   ldap_bind_dn = "cn=pam,dc=domain,dc=de"
   ldap_bind_password = "password"
   nssdb_dir = /var/lib/misc
   files_dir = /etc
   files_cache_filename_suffix = cache

[passwd]
ldap_base = ou=People,dc=domain,dc=de

[group]
ldap_base = ou=Groups,dc=domain,dc=de
ldap_filter = (objectclass=posixGroup)
rfc2307bis = 1

[shadow]
ldap_filter = (objectclass=shadowAccount)

[sshkey]
ldap_base = ou=People,dc=domain,dc=de

1. Run nsscache update and cat /etc/group
   grep ^thglanzm /etc/group.cache
   thglanzm:*:10074:uid=thglanzm,ou=People,dc=domain,dc=de

What is the expected output? What do you see instead?

Expected Output:
grep ^thglanzm /etc/group.cache
thglanzm:*:10074:thglanzm

I see instead:
grep ^thglanzm /etc/group.cache
thglanzm:*:10074:uid=thglanzm,ou=People,dc=domain,dc=de

What version of the product are you using? On what operating system?

I used the latest release nsscache-0.23.tar.gz and the git head as of
2014-09-07.

Please provide any additional information below.

I wrote a small patch which I assume is wrong because it fights the symptoms instead of removes the root cause. Can someone who knows python and knows the code base better, please write a proper patch?

Original issue 33 created by jaqx0r on 2014-08-28T04:45:48.000Z:

What steps will reproduce the problem?

1. After install nsscache from official Ubuntu repositories

I figure nsscache synchronization for passwd , groups & shadow

1. The command for sync is similar $nsscache update --full
2. But the command just only successful with the group, the passwd & shadow didn't sync any (:Update:Source map empty during full update, aborting
3. When i tried with --force-write, the passwd & shadow still empty

What is the expected output? What do you see instead?

Our infrastructure used OpenLDAP for authentication, the rfc2307bis.schema was used for contain uid & userPassword attribute

Do I need any tips / tricks for nsscache sync with these attributes ?

What version of the product are you using? On what operating system?

OS : Ubuntu 14.04
NSScache :nsscache 0.23-2

Thanks for your recommendation

Original issue 28 created by jaqx0r on 2013-07-01T12:20:00.000Z:

What steps will reproduce the problem?

1. kinit
2. Try to search kerberos-authenticated directory

What is the expected output? What do you see instead?
Auth error is displayed instead of search results

What version of the product are you using? On what operating system?
Debian wheezy, nsscache v0.21.19

Please provide any additional information below.
The patch is in attached file.

Original issue 16 created by jaqx0r on 2009-01-06T03:03:45.000Z:

Here are some basic spec files to build RPMs for both components.

Hi,

You've been updating the debian/ tags but not the version/ tags. Can you update the version tag so other OSes can point to it for packaging?

Original issue 7 created by jaqx0r on 2008-04-18T13:35:38.000Z:

Here at Cardiff University we have a Novell e-directory system where
LDAP/posixAccount functionality was added late. This means the directory
structure is a bit idiosynchratic.

Anyway to cut to the chase: account entries lack gecos or cn. To get around
this I edited ldapsource to use fullName if cn or gecos were not found.

diff -uNr nsscache-0.7.3.dist/nss_cache/sources/ldapsource.py
nsscache-0.7.3/nss_cache/sources/ldapsource.py
--- nsscache-0.7.3.dist/nss_cache/sources/ldapsource.py 2008-04-09
05:46:33.000000000 +0100
+++ nsscache-0.7.3/nss_cache/sources/ldapsource.py 2008-04-18
14:32:32.000000000 +0100
@@ -373,7 +373,7 @@
def init(self):
super(PasswdUpdateGetter, self).init()
self.attrs = ['uid', 'uidNumber', 'gidNumber', 'gecos', 'cn',

•              'homeDirectory', 'loginShell']
  

•              'homeDirectory', 'loginShell', 'fullName']
  

  self.essential_fields = ['uid', 'uidNumber', 'gidNumber', 'homeDirectory']

  def CreateMap(self):
  @@ -389,7 +389,10 @@
  pw.gecos = obj['gecos'][0]
  elif 'cn' in obj:
  pw.gecos = obj['cn'][0]

• elif 'fullName' in obj:

•  pw.gecos = obj['fullName'][0]
  

  else:
  raise ValueError('Neither gecos nor cn found')

  pw.name = obj['uid'][0]

in the short term this works but is a bit inelegant. I guess being able to
add mappings into the config would be nice e.g:

[mappings]
gecos = fullName

and have that config change the way that attributes are looked up

Stack trace; notice 'modifyTimeStamp': ['20150920045950.0Z'] on line 2 and the exception at the bottom: KeyError: 'modifyTimestamp':

DEBUG:LdapSource:searching for base='dc=ad,dc=selinc,dc=com', filter='(&(objectCategory=Person)(uidNumber=*)(gidNumber=*))', scope=2, attrs=['uid', 'shadowLastChange', 'shadowMin', 'shadowMax', 'shadowWarning', 'shadowInactive', 'shadowExpire', 'shadowFlag', 'userPassword', 'modifyTimestamp']
obj:{'uid': ['timti'], 'modifyTimeStamp': ['20150920045950.0Z']}
Traceback (most recent call last):
  File "/usr/local/bin/nsscache", line 33, in <module>
    return_value = nsscache_app.Run(sys.argv[1:], os.environ)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/app.py", line 240, in Run
    retval = command_callable().Run(conf=conf, args=args)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 230, in Run
    force_lock=options.force_lock)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 312, in UpdateMaps
    force_write=force_write)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource
    force_write, location=None)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource
    location=location)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/source.py", line 69, in GetMap
    return self.GetShadowMap(since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 325, in GetShadowMap
    since=since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 507, in GetUpdates
    obj_ts = self.FromLdapToTimestamp(obj['modifyTimestamp'][0])
KeyError: 'modifyTimestamp'

The lookup expects modifyTimestamp, but LDAP gives modifyTimeStamp.

The quick fix is to change the string in ldapsource.py (recommend changing entire file for consistency).

The better fix would be to make comparisons case-insensitive. Hypothetically, an LDAP server could send us modifyTimestamp.

Original issue 6 created by jaqx0r on 2008-03-05T19:23:51.000Z:

The default /etc/nsscache.conf has the following section right at the bottom:

[automount]
cache = files

Upon running nsscache I get the following error:

RuntimeError: map 'automount' not supported by cache 'files'

According to the wiki, automount is not supported yet anyhow, so this should be removed from the
default config.

Original issue 31 created by jaqx0r on 2014-02-01T22:30:43.000Z:

What steps will reproduce the problem?

1. Basically, if I configured nsscache so that ldap-debugging is enabled, it makes it much easier to debug ldap problems. Currently I have to edit the ldapsource.py source code to set conn.set_option(ldap.OPT_DEBUG_LEVEL, 3). It would be great if there was a config option for this.

What is the expected output? What do you see instead?

Delicious debug output from ldap, so that I can determine why I received weird protocol errors :/

What version of the product are you using? On what operating system?

nsscache 0.23, Gentoo.

Please provide any additional information below.

Original issue 10 created by jaqx0r on 2008-07-21T19:18:03.000Z:

since cache files are regularly modified, it seems to make more sense,
according to the Linux Filesystem Hierarchy Standard to put the files in
/var/lib, this would also allow for a read only etc

Original issue 22 created by jaqx0r on 2010-06-01T18:10:34.000Z:

values are swapped in Makefile

Original issue 12 created by jaqx0r on 2008-07-30T14:09:55.000Z:

To enable userPassword to work from my LDAP i needed to change the source
line in ldapsource.py to 'crypt' not 'CRYPT' I think this should be made a
case insensitive check then both would be allowed. My other comment on
that section is would it not be better rather than to ignore uses with
no crypt password to put an '!x' in the field so that they at least
get populated?
> if 'userPassword' in obj:
> passwd = obj['userPassword'][0]
> if passwd[:7] == "{crypt}":
> shadow_ent.passwd = passwd[7:]
> else:
> shadow_ent.passwd = '!x'
> logging.info('Ignored password that was not in crypt format')
> return shadow_ent

Please tag a new release, for inclusion in other distributions (not just debian).

Original issue 5 created by jaqx0r on 2008-03-05T19:21:29.000Z:

After installing nsscache, the default permissions on /etc/nsscache.conf are 444. They should be
something more sane like 640, or maybe the more secure 600. A less alert sysadmin might forget
to remove read access for others and expose their LDAP password.

Original issue 8 created by jaqx0r on 2008-07-21T18:33:53.000Z:

attached is a patch to add support for rfc2307bis which stores the full
user dn in the member attribute of a group rather than just the uid. Let me
know if you would like the patch reworked, it is my first time writing any
python code and it took me a while to grok how things were setup.

I don't know why my location's LDAP server is giving me user names with spaces, but it causes the update command to fail (at least the first time). Sample debug output (names tweaked for privacy):

DEBUG:NssDbShadowHandler:missing: set(['.Rose Rosey', '.Proj Trainer', '.Jim Knuth', '.Jerry Demo', '.Main Supervisors'])

On the error

• The temp file contents do include strings like ^U^@^ARose Rosey:*:::::::0^@^E^@^A01115^V^@^A, so it's not being read back properly.
• The cache keys, read back for verification, include items like .Rose and .Proj, with the second half truncated.

Wait a minute

Unix shortnames can't include spaces anyway, right?

Proposed Solutions:

1. Ignore names with spaces on verification step.
2. Ignore names with spaces on Write step.

Suggestions welcome. 2 seems like the right thing to do to me.

More error text

DEBUG:NssDbShadowHandler:Map contains 4982 elems
DEBUG:NssDbShadowHandler:executing makedb: /usr/bin/makedb - /var/lib/misc/nsscache-cache-file-qTfB8O
DEBUG:NssDbShadowHandler:4982 entries written, 4982 keys
DEBUG:NssDbShadowHandler:verification started /var/lib/misc/nsscache-cache-file-qTfB8O
DEBUG:NssDbShadowHandler:4982 written keys, 9964 cache keys
WARNING:NssDbShadowHandler:verify failed: written keys missing from the on-disk cache!
DEBUG:NssDbShadowHandler:missing: set(['.Rose Rosey', '.Proj Trainer', '.Jim Knuth', '.Jerry Demo', '.Main Supervisors'])
DEBUG:NssDbShadowHandler:rolling back, (not) deleting temp cache file '/var/lib/misc/nsscache-cache-file-qTfB8O'
WARNING:NssDbShadowHandler:verification failed, exiting

Original issue 14 created by jaqx0r on 2008-09-15T22:19:41.000Z:

What steps will reproduce the problem?

1. Delete a user from the LDAP directory
2. Create a new user in the directory with the same UID as the user who was deleted
3. Update the cache

What is the expected output? What do you see instead?
Only the new user should appear. However, "getent passwd" will show both users, with the same
UID. I confirmed that deleting the cache and regenerating it from scratch gets rid of the old entry.

What version of the product are you using? On what operating system?
0.8.0 on Gentoo Linux. Apple's Open Directory on OS X 10.5

http_ts_string does not get set if the response from the server is empty, Here is a patch that is a quick fix that shows where the problem is.

From d64a55eb5ecd06c8aeb90a45f695db55e6080b81 Mon Sep 17 00:00:00 2001
From: Eli Criffield [email protected]
Date: Wed, 20 May 2015 13:04:55 -0500
Subject: [PATCH 1/1] add http_ts_string before its referenced

nss_cache/sources/httpsource.py | 1 +
1 file changed, 1 insertion(+)

diff --git a/nss_cache/sources/httpsource.py b/nss_cache/sources/httpsource.py
index cc4f3d5..db91214 100644
--- a/nss_cache/sources/httpsource.py
+++ b/nss_cache/sources/httpsource.py
@@ -269,6 +269,7 @@ class UpdateGetter(object):
headers = headers.split('\r\n')
last_modified = conn.getinfo(pycurl.INFO_FILETIME)
self.log.debug('last modified: %s', last_modified)

• http_ts_string = 'Sun, 01 Nov 1970 00:00:00 GMT'
  if last_modified == -1:
  for header in headers:
  if header.lower().startswith('last-modified'):
  --
  2.2.0.rc0.207.ga3a616c

Original issue 36 created by jaqx0r on 2014-09-12T22:44:46.000Z:

What steps will reproduce the problem?

1. Start an X session as some user in the nsscache database (I'm using Linux Mint/XFCE, nsscache uses the "files" cache style)
2. Lock the screen with xscreensaver
3. Try to unlock by entering the password

What is the expected output? What do you see instead?

I should be back to my X session. Instead, I get a "authentication failure".

What version of the product are you using? On what operating system?

nsscache 0.23-2 on Linux Mint 17 (Xfce) (default package installed via apt-get)

Please provide any additional information below.

The problem appears to be that xscreensaver uses pam_unix for user authentication, and pam_unix apparently requires shadow files to be owned by group "shadow". Ownership of the original files should be preserved across the cache files. Currently only permission bits are preserved.

Attached proposed patch, which copies ownership (uid/gid) data over to the cache files in addition to perm bits.

Tested and working with "files" cache. Not tested with berkeley db style cache.

Original issue 25 created by jaqx0r on 2011-09-18T08:06:20.000Z:

Currently nsscache compares an 'errno' values with an hardcoded numeric value, instead of using the constants of the 'errno' Python module.
This can lead to bugs due to E* values being potentially different per-OS, and even per-arch for the same OS.

The attached patch (made on SVN trunk r116) fixes the issue.

Code currently considers home directory a mandatory field, but

1. Some servers (at least mine) give users without home directories
2. The field isn't required in the passwd file anyway

WARNING:root:invalid object passed: 'homeDirectory' not in {'cn': ['timti'], 'loginShell': ['/bin/bash'], 'uidNumber': ['27'], 'gidNumber': ['11'], 'modifyTimeStamp': ['20150920045950.0Z'], 'uid': ['timti']}
Traceback (most recent call last):
  File "/usr/local/bin/nsscache", line 33, in <module>
    return_value = nsscache_app.Run(sys.argv[1:], os.environ)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/app.py", line 240, in Run
    retval = command_callable().Run(conf=conf, args=args)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 230, in Run
    force_lock=options.force_lock)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/command.py", line 303, in UpdateMaps
    force_write=force_write)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource
    force_write, location=None)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource
    location=location)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/source.py", line 63, in GetMap
    return self.GetPasswdMap(since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 345, in GetPasswdMap
    since=since)
  File "/usr/local/lib/python2.7/dist-packages/nss_cache/sources/ldapsource.py", line 563, in GetUpdates
    raise ValueError('Invalid object passed: %r', obj)
ValueError: ('Invalid object passed: %r', {'cn': ['timti'], 'loginShell': ['/bin/bash'], 'uidNumber': ['27'], 'gidNumber': ['11'], 'modifyTimeStamp': ['20150920045950.0Z'], 'uid': ['timti']})

Proposal: make home directory optional.

This website tells me that home directory is optional in the passwd file: http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

Original issue 23 created by jaqx0r on 2010-09-14T10:17:26.000Z:

New distributions (Ubuntu Lucid in my case) doesn't ship with Python 2.4, and it's quite a lot of hassle to get it working.

Original issue 37 created by jaqx0r on 2014-09-29T15:39:59.000Z:

What steps will reproduce the problem?

1. Take the latest downloads
2. Follow installation instructions

What is the expected output? What do you see instead?

When I run 'make install' in libnss-cache, I get

[ -d //usr/lib ] || install -d //usr/lib
install .libs/libnss_cache.so.2.0 //usr/lib
install: cannot stat `.libs/libnss_cache.so.2.0': No such file or directory
make: *** [install] Error 1

See Dockerfile and results.txt for all output and exact steps to recreate.

Original issue 26 created by jaqx0r on 2012-06-11T04:42:37.000Z:

What steps will reproduce the problem?

1. setup nsscache on debian squeeze

• with kerberos and unix pam modules (via pam-auth-update)
• with ldap nsscache source
• only syncing passwd and group
  1. nsscache update --full
  2. modify nsswitch.conf to include "passwd: files db"
  3. getent passwd

What is the expected output? What do you see instead?

• expected: passwd entries with a "*" in the password field
• actual: passwd entries with a "x" in the password field

What version of the product are you using? On what operating system?

• nsscache 0.21.17
• debian 6.0.5

Please provide any additional information below.

It seems "x" is sometimes wanted and "" other times, so this should be configurable in nsscache.conf. In my setup I'm using kerberos for auth and ldap for account information, and PAM apparently expects "" vs "x"... with "passwd: files ldap" I see "*".

Changing "x" to "*" here solves it:

• http://code.google.com/p/nsscache/source/browse/nsscache/nss_cache/sources/ldapsource.py#&nbsp;488