nss_ldap display UID/GID instead of login/group

Robert Watson rwatson at freebsd.org
Thu May 15 07:01:52 PDT 2003

On Thu, 15 May 2003, Frank Bonnet wrote:

> I have a cosmetic problem on a 5.1-BETA-20030507-JPSNAP version using
> nss_ldap ( installed from ports )  with openldap ( installed from ports
> too ). 
> I can login/ssh/imap etc etc using nns_ldap mechanism BUT when logged in
> under a LDAP userid ( not a local one )  ls -l display UID and GID
> instead of LOGIN and GROUP statement. 

This occurs because NSS relies on dynamically linking, and the binaries in
/bin and /sbin are statically linked; right now, we don't support dynamic
loading of shared objects by statically linked binaries.  You'll notice
that tcsh tab completion of usernames doesn't work, and getfacl/setfacl
don't "speak"  users who aren't NIS, HESIOD, or local password files
(these modules are included in libc, so get statically linked into the
builds of these binaries).  The work-around is to statically link the
libaries necessary for LDAP into your /bin and /sbin binaries that need
them.  The solution is to run with a fully dynamic tree, and Gordon Tetlow
is working on a patchset to do this.  Some might suggest teaching static
binaries how to load dynamic objects, but that has some of its own

You can run with a fully dynamic tree today as long as /usr is on the same
partition as / so that /bin and /sbin can find their shared libraries.  To
do this, remove the NOSHARED line from bin/Makefile.inc and
sbin/Makefile.inc.  This will cause binaries in those directories to be
built dynamically linked next time you buildworld.

A word of caution: one of the primary reasons this is more complicated
than it sounds is the risk factor if something goes wrong: today, /bin and
/sbin work even if you muck up your shared libraries somehow.  If they're
linked dynamically, they won't :-).  Part of Gordon's work is to reproduce
what NetBSD has in the form of /rescue: a directory not unlike our /stand
today which holds crunched/static versions of /bin and /sbin for recovery
purposes.  I expect he'll post his patches for public review in a few
weeks, with the intention to merge support for this functionality after
5.1.  In the mean time, a local build will do the trick if you are willing
to set up the partitions so that the shared libraries are easily found by
/bin and /sbin. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories

More information about the freebsd-current mailing list