But this so-called "error" occur with: id, ssh, imap, pop. It looks like lib function clearing char buffer where the parameters are store after first use.
Ofcourse second parametr should be '%s' not '%u' but this doesn't change nothing - "null" is present.
Best regards,
Mszutko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ah, I see you meant %s - well in that case, you may only use %s once (as I'm doing the libc 'sprintf' call which is expecting a single insertion value).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Cinergi please help with this. Where and what should I change in lib source code to use '%s' twice. I have try to get over this functionality but it seems for my mandatory.
Thanks in advanced.
Best regards,
Mszutko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I was hoping to find a MySQL statement to do this, but not in the way that you need it (I was looking at user variables). I believe the code you need to edit is line 84 of lookup.c; change:
And make sure ALL your by-name lookups have two "%s" in them (getpwnam, getspnam, getgrnam, gidsbymem) - yes, this affects group lookups, too :-(
IF you don't need two, then do something like
SELECT blah FROM table WHERE thing='%s' AND '%s' != '@'
That will 'throw away' the second %s harmlessly...
Perhaps a different database design is in order? I can help you with that if you're up for it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for this. I will check it asap on dev environment - it is important to me.
My idea for second solution (in the meantime) was:
- add new filed to table "users" e.g. login
- login looks like "test@foo.com"
- users try to login by test@foo.com
- query is "select name,... from users where login='test@foo.com'
it seems to work but some of programs use once "test@foo.com" like user name and second time use "test" - returned from nss - (e.g sshd after auth or pam_require) so query must false.
In this case I am afraid that query with substring could be aslo wrong. For me there is no one rule when programs use entered value or use returned value.
For now my "user" field looks like this: test@foo.com but it looks terrible (e.g "ls" command) and it doesn't seem to be good solution.
Main reason for what I want to use domains name is to implement hosting for some domains. I would like to use standard pam function implemented to ftp,imap,ssh and others rather not to use sql modules for them (like proftpd mysql module). Standard pam and nss is best for this. And your nss lib is perfect for this job.
What is your opinion about whole situation? Your advice is strongly recomended ;)
Thanks,
Mszutko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There's no quick and easy way to solve the problem that I'm aware of. If you want ftp, mail, www, etc., to all work, there are a number of problems. Mail would have to be configured to look up the whole user string instead of separating out user & domain. Other software should work OK but you're right, it's a bit ugly, and can lead to really long usernames which some software may not support. A legal unix username isn't supposed to have an '@' in it, and some software may actually enforce that behavior. If you're willing to modify source code, this may not be an issue. As for mail, systems like Exim should provide excellent ability to do what you want. Exim's very configurable (without getting into loading modules).
I personally have some interest in this problem because I'd like to create a self-contained web service provider based on real-time MySQL data (a la cPanel, Ensim, Plesk, etc). However, I haven't spent enough time to find the right solution.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm thinking about some sort of "service management system" too. And for now I ahve tree idea:
- use sql modules for each service (some of them don't have - sshs)
- use long user name: "test@foo.com"
- use not so friendly user names e.g.: 112334 (where the numebr is rowid or something and it is system username too)
or try try to catch the moment when e.g. ssh missing nss retuned value. I have try to patch pam_require and it works.
Exim aslo working very nice. Problem is with courier-*. I must search more info.
And now the concuslion ;) I thnik I will mix your great nss with sql modules. So for low level services (like ssh) user must enter some not frielndly username. This username will be with relation with login name (test@foo.com) for mass clients (users).
If you have any alternativ idea please share it. I will be grateful.
Best regards,
Mszutko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I wanted to let you know that I just found out that the "snprintf()" call I use can take some interesting format specifiers, enabling you to reference 'username' or 'uid' as many times as you want, like so:
snprintf (out, 20, "%1$d hi %1$d\n",foo);
This your query could look like
Getpwnam SELECT blah WHERE foo='%1$u' AND bar='%1$u' LIMIT 1
All this *without* modification to the base libnss-mysql!
I hope this feature's available on solaris and FreeBSD - that will solve a long-standing feature-request I've had.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here's a tested cut-n-paste of the default getpwnam on linux with the change:
getpwnam SELECT username,'x',uid,gid,gecos,homedir,shell FROM users WHERE username='%1$s' LIMIT 1
I verified this works on FreeBSD 5.1 and Solaris 2.6. Woot! However, libnss-mysql assumes only one usage, so the query builder won't allocate enough memory to hold more than one. I'll fix that for libnss-mysql 1.3 which I'm trying to release tonight.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is it possible to have logins user@domain that are split by libnss-mysql based on the port (then the vars for the username and domain can be used in the sql query to authenticate against? I'm not familiar with the inner workings of the auth system, but I'm assuming that servers like IMAP and POP3 want user@domain to be passed, so it has to be, but perhaps for ssh, ftp, etc, the domain could be separated... again, this may not be feasible, but I'm trying to understand how the authentication system works and how this problem can be addressed.
It would be complex, I guess... you;d probably need multiple queries and the more I think about it, the less feasible it really seems... but maybe will spark some ideas.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
jaminniti:
Correct me if I'm wrong but libnss don't know which service request the user/group data. In many (if not in all) cases it is pam_unix.so. Am I right?
Your idea is worth to try. If there is easy way to modify pam_unix to give some extra arguments to nss it could works and it could be very very powerful. Just imagine that you could give "no such user" info is user is not allowed to use ssh but is allowed to use ftp. It would be pure system answer not some *pam*sql* module.
Thanks,
Maszutko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the NSS api is pretty "stupid" - it has no idea who's calling it, etc. That said, since we write the modules, it *is* possible to make the module look at things like the current process name, user-id, environment variables, etc.. and make decisions based on those. I'd have to think about if there's a clean way to implement those kinds of decisions on top of libnss-mysql without veering away from the purpose of libnss-mysql ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I have conf like this:
getpwnam SELECT username,'x',uid,gid,gecos,homedir,shell FROM users WHERE username = SUBSTRING_INDEX( '%s', '@', 1 ) AND domain = SUBSTRING_INDEX( '%u', '@', -1 ) LIMIT 1
And here is mysql error. it is not mysql error rather lib function erro:
nss-root@localhost on auth
SELECT username,'x',uid,gid,gecos,homedir,shell FROM users WHERE username = SUBSTRING_INDEX( 'test@foo.com', '@', 1 ) AND domain = SUBSTRING_INDEX( '(null)', '@', -1 ) LIMIT 1
I wonder from where "null" is? Any idea?
Best regards,
Mszutko
i had an error like this working with mail. more specifically, working with imap.
if this is what you are doing, recompile the mail server to include notls.
so in essence, this wasn't a nss-mysql problem, this was a mail server configuration problem.
if it is mail, are you able to login with a standard pop3 or imap (whichever service you are using) client?
Hi,
But this so-called "error" occur with: id, ssh, imap, pop. It looks like lib function clearing char buffer where the parameters are store after first use.
Ofcourse second parametr should be '%s' not '%u' but this doesn't change nothing - "null" is present.
Best regards,
Mszutko
getpwnam only has access to "%s" - the username being requested. There is no "%u"
Ah, I see you meant %s - well in that case, you may only use %s once (as I'm doing the libc 'sprintf' call which is expecting a single insertion value).
Hi,
Thanks for info.
Very good lib !!! Thanks for your job !
Mszutko
Hi,
Cinergi please help with this. Where and what should I change in lib source code to use '%s' twice. I have try to get over this functionality but it seems for my mandatory.
Thanks in advanced.
Best regards,
Mszutko
I was hoping to find a MySQL statement to do this, but not in the way that you need it (I was looking at user variables). I believe the code you need to edit is line 84 of lookup.c; change:
snprintf (*qout, qout_size, qin, clean_name);
to:
snprintf (*qout, qout_size, qin, clean_name, clean_name);
And make sure ALL your by-name lookups have two "%s" in them (getpwnam, getspnam, getgrnam, gidsbymem) - yes, this affects group lookups, too :-(
IF you don't need two, then do something like
SELECT blah FROM table WHERE thing='%s' AND '%s' != '@'
That will 'throw away' the second %s harmlessly...
Perhaps a different database design is in order? I can help you with that if you're up for it.
Hi,
Thanks for this. I will check it asap on dev environment - it is important to me.
My idea for second solution (in the meantime) was:
- add new filed to table "users" e.g. login
- login looks like "test@foo.com"
- users try to login by test@foo.com
- query is "select name,... from users where login='test@foo.com'
it seems to work but some of programs use once "test@foo.com" like user name and second time use "test" - returned from nss - (e.g sshd after auth or pam_require) so query must false.
In this case I am afraid that query with substring could be aslo wrong. For me there is no one rule when programs use entered value or use returned value.
For now my "user" field looks like this: test@foo.com but it looks terrible (e.g "ls" command) and it doesn't seem to be good solution.
Main reason for what I want to use domains name is to implement hosting for some domains. I would like to use standard pam function implemented to ftp,imap,ssh and others rather not to use sql modules for them (like proftpd mysql module). Standard pam and nss is best for this. And your nss lib is perfect for this job.
What is your opinion about whole situation? Your advice is strongly recomended ;)
Thanks,
Mszutko
There's no quick and easy way to solve the problem that I'm aware of. If you want ftp, mail, www, etc., to all work, there are a number of problems. Mail would have to be configured to look up the whole user string instead of separating out user & domain. Other software should work OK but you're right, it's a bit ugly, and can lead to really long usernames which some software may not support. A legal unix username isn't supposed to have an '@' in it, and some software may actually enforce that behavior. If you're willing to modify source code, this may not be an issue. As for mail, systems like Exim should provide excellent ability to do what you want. Exim's very configurable (without getting into loading modules).
I personally have some interest in this problem because I'd like to create a self-contained web service provider based on real-time MySQL data (a la cPanel, Ensim, Plesk, etc). However, I haven't spent enough time to find the right solution.
Hi.
I'm thinking about some sort of "service management system" too. And for now I ahve tree idea:
- use sql modules for each service (some of them don't have - sshs)
- use long user name: "test@foo.com"
- use not so friendly user names e.g.: 112334 (where the numebr is rowid or something and it is system username too)
or try try to catch the moment when e.g. ssh missing nss retuned value. I have try to patch pam_require and it works.
Exim aslo working very nice. Problem is with courier-*. I must search more info.
And now the concuslion ;) I thnik I will mix your great nss with sql modules. So for low level services (like ssh) user must enter some not frielndly username. This username will be with relation with login name (test@foo.com) for mass clients (users).
If you have any alternativ idea please share it. I will be grateful.
Best regards,
Mszutko
I wanted to let you know that I just found out that the "snprintf()" call I use can take some interesting format specifiers, enabling you to reference 'username' or 'uid' as many times as you want, like so:
snprintf (out, 20, "%1$d hi %1$d\n",foo);
This your query could look like
Getpwnam SELECT blah WHERE foo='%1$u' AND bar='%1$u' LIMIT 1
All this *without* modification to the base libnss-mysql!
I hope this feature's available on solaris and FreeBSD - that will solve a long-standing feature-request I've had.
Woops i mean %1$s up there..
Here's a tested cut-n-paste of the default getpwnam on linux with the change:
getpwnam SELECT username,'x',uid,gid,gecos,homedir,shell FROM users WHERE username='%1$s' LIMIT 1
I verified this works on FreeBSD 5.1 and Solaris 2.6. Woot! However, libnss-mysql assumes only one usage, so the query builder won't allocate enough memory to hold more than one. I'll fix that for libnss-mysql 1.3 which I'm trying to release tonight.
Is it possible to have logins user@domain that are split by libnss-mysql based on the port (then the vars for the username and domain can be used in the sql query to authenticate against? I'm not familiar with the inner workings of the auth system, but I'm assuming that servers like IMAP and POP3 want user@domain to be passed, so it has to be, but perhaps for ssh, ftp, etc, the domain could be separated... again, this may not be feasible, but I'm trying to understand how the authentication system works and how this problem can be addressed.
It would be complex, I guess... you;d probably need multiple queries and the more I think about it, the less feasible it really seems... but maybe will spark some ideas.
Hi,
I'm waiting for 1.3 ;) Thanks!
jaminniti:
Correct me if I'm wrong but libnss don't know which service request the user/group data. In many (if not in all) cases it is pam_unix.so. Am I right?
Your idea is worth to try. If there is easy way to modify pam_unix to give some extra arguments to nss it could works and it could be very very powerful. Just imagine that you could give "no such user" info is user is not allowed to use ssh but is allowed to use ftp. It would be pure system answer not some *pam*sql* module.
Thanks,
Maszutko
the NSS api is pretty "stupid" - it has no idea who's calling it, etc. That said, since we write the modules, it *is* possible to make the module look at things like the current process name, user-id, environment variables, etc.. and make decisions based on those. I'd have to think about if there's a clean way to implement those kinds of decisions on top of libnss-mysql without veering away from the purpose of libnss-mysql ...