The Shœstring Foundation Weblog
   


About
The Shœstring Foundation Weblog, Miscellaneous Byproducts

Matthias Bauer
bauerm (at) shoestringfoundation · org
reop pubkey

Subscribe
Subscribe to a syndicated feed of my weblog, brought to you by the wonders of RSS.


Blosxom Logo

       
Mon, 28 Nov 2011

OpenLDAP WTF


Since NIS has seen its hayday (in the early 90ies), we switched to the highly secure LDAP+Kerberos setup. OpenLDAP is touted as the allround “Solution” to all user account management, sorry, I meant to say account provisioning. After converting our NIS passwd file to thousands of LDIF files we imported them with the obvious three-liner

  for i in *ldif; do \
	ldapadd -v -W -D "cn=admin,dc=our,dc=domain" \
	    -c -H ldapi:/// -f $i
  done
 

After fiddling with half a dozen files in /etc, the client systems could look up user data on the LDAP server. Our test for that was

  getent passwd aknownuser
  getent passwd anotherknownuser
 
So it seemed plausible to create a list of all users by
  getent passwd | awk -F: '{print $1}' > allourusers
and install that as a list of valid recipients of e-mails.

This was a grave error, because one of the manymany default settings of OpenLDAP is to return only the first 500 answers to any request. So the list was short by a few hundred accounts.

Considering that LDAP has no concept of a cursor and one cannot ask for the next 500  entries, one can only ask

What the fsck were they thinking???

[/osfail] permanent link