major.io - Words of wisdom from a Linux engineer focused on information security

Import RPM repository GPG keys from other keyservers temporarily

September 20, 2017 By Major Hayden Leave a Comment

I’ve been working through some patches to OpenStack-Ansible lately to optimize how we configure yum repositories in our deployments. During that work, I ran into some issues where pgp.mit.edu was returning 500 errors for some requests to retrieve GPG keys.

Ansible was returning this error:

curl: (22) The requested URL returned error: 502 Proxy Error
error: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x61E8806C: import read failed(2)

1 2	curl: (22) The requested URL returned error: 502 Proxy Error error: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x61E8806C: import read failed(2)

How does the rpm command know which keyserver to use? Let’s use the --showrc argument to show how it is configured:

$ rpm --showrc | grep hkp
-14: _hkp_keyserver http://pgp.mit.edu
-14: _hkp_keyserver_query   %{_hkp_keyserver}:11371/pks/lookup?op=get&search=0x

$ rpm --showrc | grep hkp

-14: _hkp_keyserver http://pgp.mit.edu

-14: _hkp_keyserver_query %{_hkp_keyserver}:11371/pks/lookup?op=get&search=0x

How do we change this value temporarily to test a GPG key retrieval from a different server? There’s an argument for that as well: --define:

$ rpm --help | grep define
  -D, --define='MACRO EXPR'        define MACRO with value EXPR

1 2	$ rpm --help \| grep define -D, --define='MACRO EXPR' define MACRO with value EXPR

We can assemble that on the command line to set a different keyserver temporarily:

# rpm -vv --define="%_hkp_keyserver http://pool.sks-keyservers.net" --import 0x61E8806C
-- SNIP --
D: adding "63deac79abe7ad80e147d671c2ac5bd1c8b3576e" to Sha1header index.
-- SNIP --

# rpm -vv --define="%_hkp_keyserver http://pool.sks-keyservers.net" --import 0x61E8806C

-- SNIP --

D: adding "63deac79abe7ad80e147d671c2ac5bd1c8b3576e" to Sha1header index.

-- SNIP --

Let’s verify that our new key is in place:

# rpm -qa | grep -i gpg-pubkey-61E8806C
gpg-pubkey-61e8806c-5581df56
# rpm -qi gpg-pubkey-61e8806c-5581df56
Name        : gpg-pubkey
Version     : 61e8806c
Release     : 5581df56
Architecture: (none)
Install Date: Wed 20 Sep 2017 10:17:11 AM CDT
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Wed 17 Jun 2015 03:57:58 PM CDT
Build Host  : localhost
Relocations : (not relocatable)
Packager    : CentOS Virtualization SIG (http://wiki.centos.org/SpecialInterestGroup/Virtualization) <security@centos.org>
Summary     : gpg(CentOS Virtualization SIG (http://wiki.centos.org/SpecialInterestGroup/Virtualization) <security@centos.org>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.3 (NSS-3)

mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv
aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA
8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR
0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt
i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou
zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs
aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy
ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB
OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr
voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo
FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc
qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc
S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b
Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP
A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc=
=ZzP+
-----END PGP PUBLIC KEY BLOCK-----

# rpm -qa | grep -i gpg-pubkey-61E8806C

gpg-pubkey-61e8806c-5581df56

# rpm -qi gpg-pubkey-61e8806c-5581df56

Name : gpg-pubkey

Version : 61e8806c

Release : 5581df56

Architecture: (none)

Install Date: Wed 20 Sep 2017 10:17:11 AM CDT

Group : Public Keys

Size : 0

License : pubkey

Signature : (none)

Source RPM : (none)

Build Date : Wed 17 Jun 2015 03:57:58 PM CDT

Build Host : localhost

Relocations : (not relocatable)

Packager : CentOS Virtualization SIG (http://wiki.centos.org/SpecialInterestGroup/Virtualization) <[email protected]>

Summary : gpg(CentOS Virtualization SIG (http://wiki.centos.org/SpecialInterestGroup/Virtualization) <[email protected]>)

Description :

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: rpm-4.11.3 (NSS-3)

mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv

aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA

8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR

0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt

i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou

zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs

aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy

ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB

OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr

voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo

FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc

qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc

S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b

Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP

A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc=

=ZzP+

-----END PGP PUBLIC KEY BLOCK-----

Success!

If you want to override the value permanently, create a ~/.rpmmacros file and add the following line to it:

%_hkp_keyserver http://pool.sks-keyservers.net

1	%_hkp_keyserver http://pool.sks-keyservers.net

Photo credit: Wikipedia

Thunderbird changes fonts in some messages, not all

August 2, 2017 By Major Hayden 1 Comment

Thunderbird is a great choice for a mail client on Linux systems if you prefer a GUI, but I had some problems with fonts in the most recent releases. The monospace font used for plain text messages was difficult to read.

I opened Edit > Preferences > Display and clicked Advanced to the right of Fonts & Colors. The default font for monospace text was “Monospace”, and that one isn’t terribly attractive. I chose “DejaVu Sans Mono” instead, and closed the dialog boxes.

The fonts in monospace messages didn’t change. I quit Thunderbird, opened it again, and still didn’t see a change. The strange part is that a small portion of my monospaced messages were opening with the updated font while the majority were not.

I went back into Thunderbird’s preferences and took another look:

Everything was set as I expected. I started with some Google searches and stumbled upon a Mozilla Bug: Changing monospace font doesn’t affect all messages. One of the participants in the bug mentioned that any emails received without ISO-8859-1 encoding would be unaffected since Thunderbird allows you set fonts for each encoding.

I clicked the dropdown where “Latin” was selected and I selected “Other Writing Systems”. After changing the monospace font there, the changes went into effect for all of my monospaced messages!

Troubleshooting CyberPower PowerPanel issues in Linux

July 25, 2017 By Major Hayden 5 Comments

I have a CyberPower BRG1350AVRLCD at home and I’ve just connected it to a new device. However, the pwrstat command doesn’t retrieve any useful data on the new system:

# pwrstat -status

The UPS information shows as following:


    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Last Power Event............. None

# pwrstat -status

The UPS information shows as following:

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Last Power Event............. None

I disconnected the USB cable and ran pwrstat again. Same output. I disconnected power from the UPS itself and ran pwrstat again. Same output. This can’t be right.

Checking the basics

A quick look at dmesg output shows that the UPS is connected and the kernel recognizes it:

[   65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd
[   65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501
[   65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2
[   65.830772] usb 3-1: Product: BRG1350AVRLCD
[   65.830773] usb 3-1: Manufacturer: CPS
[   65.830773] usb 3-1: SerialNumber: xxxxxxxxx
[   65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

[ 65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd

[ 65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501

[ 65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2

[ 65.830772] usb 3-1: Product: BRG1350AVRLCD

[ 65.830773] usb 3-1: Manufacturer: CPS

[ 65.830773] usb 3-1: SerialNumber: xxxxxxxxx

[ 65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

I checked the /var/log/pwrstatd.log file to see if there were any errors:

2017/07/25 12:01:17 PM  Daemon startups.
2017/07/25 12:01:24 PM  Communication is established.
2017/07/25 12:01:27 PM  Low Battery capacity is restored.
2017/07/25 12:05:19 PM  Daemon stops its service.
2017/07/25 12:05:19 PM  Daemon startups.
2017/07/25 12:05:19 PM  Communication is established.
2017/07/25 12:05:22 PM  Low Battery capacity is restored.
2017/07/25 12:06:27 PM  Daemon stops its service.

2017/07/25 12:01:17 PM Daemon startups.

2017/07/25 12:01:24 PM Communication is established.

2017/07/25 12:01:27 PM Low Battery capacity is restored.

2017/07/25 12:05:19 PM Daemon stops its service.

2017/07/25 12:05:19 PM Daemon startups.

2017/07/25 12:05:19 PM Communication is established.

2017/07/25 12:05:22 PM Low Battery capacity is restored.

2017/07/25 12:06:27 PM Daemon stops its service.

The pwrstatd daemon can see the device and communicate with it. This is unusual.

Digging into the daemon

If the daemon can truly see the UPS, then what is it talking to? I used lsof to examine what the pwrstatd daemon is doing:

# lsof -p 3975
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
pwrstatd 3975 root  cwd    DIR               8,68      224        96 /
pwrstatd 3975 root  rtd    DIR               8,68      224        96 /
pwrstatd 3975 root  txt    REG               8,68   224175 134439879 /usr/sbin/pwrstatd
pwrstatd 3975 root  mem    REG               8,68  2163104 134218946 /usr/lib64/libc-2.25.so
pwrstatd 3975 root  mem    REG               8,68  1226368 134218952 /usr/lib64/libm-2.25.so
pwrstatd 3975 root  mem    REG               8,68    19496 134218950 /usr/lib64/libdl-2.25.so
pwrstatd 3975 root  mem    REG               8,68   187552 134218939 /usr/lib64/ld-2.25.so
pwrstatd 3975 root    0r   CHR                1,3      0t0      1028 /dev/null
pwrstatd 3975 root    1u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    2u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    3u  unix 0xffff9e392f0c0c00      0t0     39485 /var/pwrstatd.ipc type=STREAM
pwrstatd 3975 root    4u   CHR             180,96      0t0     50282 /dev/ttyS1

# lsof -p 3975

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

pwrstatd 3975 root cwd DIR 8,68 224 96 /

pwrstatd 3975 root rtd DIR 8,68 224 96 /

pwrstatd 3975 root txt REG 8,68 224175 134439879 /usr/sbin/pwrstatd

pwrstatd 3975 root mem REG 8,68 2163104 134218946 /usr/lib64/libc-2.25.so

pwrstatd 3975 root mem REG 8,68 1226368 134218952 /usr/lib64/libm-2.25.so

pwrstatd 3975 root mem REG 8,68 19496 134218950 /usr/lib64/libdl-2.25.so

pwrstatd 3975 root mem REG 8,68 187552 134218939 /usr/lib64/ld-2.25.so

pwrstatd 3975 root 0r CHR 1,3 0t0 1028 /dev/null

pwrstatd 3975 root 1u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 2u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 3u unix 0xffff9e392f0c0c00 0t0 39485 /var/pwrstatd.ipc type=STREAM

pwrstatd 3975 root 4u CHR 180,96 0t0 50282 /dev/ttyS1

Wait a minute. The last line of the lsof output shows that pwrstatd is talking to /dev/ttyS1, but the device is supposed to be a hiddev device over USB. If you remember, we had this line in dmesg when the UPS was plugged in:

hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

1	hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

Things are beginning to make more sense now. I have a USB-to-serial device that allows my server to talk to the console port on my Cisco switch:

[   80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd
[   80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303
[   80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[   80.558028] usb 3-1: Product: USB-Serial Controller D
[   80.558029] usb 3-1: Manufacturer: Prolific Technology Inc. 
[   80.558308] pl2303 3-1:1.0: pl2303 converter detected
[   80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

[ 80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd

[ 80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303

[ 80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 80.558028] usb 3-1: Product: USB-Serial Controller D

[ 80.558029] usb 3-1: Manufacturer: Prolific Technology Inc.

[ 80.558308] pl2303 3-1:1.0: pl2303 converter detected

[ 80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

It appears that pwrstatd is trying to talk to my Cisco switch (through the USB-to-serial adapter) rather than my UPS! I’m sure they could have a great conversation together, but it’s hardly productive.

Fixing it

The /etc/pwrstatd.conf has a relevant section:

# The pwrstatd accepts four types of device node which includes the 'ttyS',
# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd
# defaults to enumerate all acceptable device nodes and pick up to use an
# available device node automatically. But this may cause a disturbance to the
# device node which is occupied by other software. Therefore, you can restrict
# this enumerate behave by using allowed-device-nodes option. You can assign
# the single device node path or multiple device node paths divided by a
# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or
# 'libusb' device node are enumerated without a suffix number assignment.
# Note, the 'libusb' does not support suffix number only.
#
# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev
# path only.
# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1
#
# For example: restrict to use ttyS and ttyUSB two groups of device node at
# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to
# ttyUSBN, N is number).
# allowed-device-nodes = ttyS;ttyUSB
#
# For example: restrict to use hiddev group of device node at /dev,/dev/usb,
# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).
# allowed-device-nodes = hiddev
#
# For example: restrict to use libusb device.
# allowed-device-nodes = libusb
allowed-device-nodes =

# The pwrstatd accepts four types of device node which includes the 'ttyS',

# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd

# defaults to enumerate all acceptable device nodes and pick up to use an

# available device node automatically. But this may cause a disturbance to the

# device node which is occupied by other software. Therefore, you can restrict

# this enumerate behave by using allowed-device-nodes option. You can assign

# the single device node path or multiple device node paths divided by a

# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or

# 'libusb' device node are enumerated without a suffix number assignment.

# Note, the 'libusb' does not support suffix number only.

# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev

# path only.

# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1

# For example: restrict to use ttyS and ttyUSB two groups of device node at

# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to

# ttyUSBN, N is number).

# allowed-device-nodes = ttyS;ttyUSB

# For example: restrict to use hiddev group of device node at /dev,/dev/usb,

# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).

# allowed-device-nodes = hiddev

# For example: restrict to use libusb device.

# allowed-device-nodes = libusb

allowed-device-nodes =

We need to explicitly tell pwrstatd to talk to the UPS on /dev/hid/hiddev0:

allowed-device-nodes = /dev/usb/hiddev0

1	allowed-device-nodes = /dev/usb/hiddev0

Let’s restart the pwrstatd daemon and see what we get:

# systemctl restart pwrstatd
# pwrstat -status

The UPS information shows as following:

    Properties:
        Model Name................... BRG1350AVRLCD
        Firmware Number..............
        Rating Voltage............... 120 V
        Rating Power................. 810 Watt(1350 VA)

    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Utility Voltage.............. 121 V
        Output Voltage............... 121 V
        Battery Capacity............. 100 %
        Remaining Runtime............ 133 min.
        Load......................... 72 Watt(9 %)
        Line Interaction............. None
        Test Result.................. Unknown
        Last Power Event............. None

# systemctl restart pwrstatd

# pwrstat -status

The UPS information shows as following:

Properties:

Model Name................... BRG1350AVRLCD

Firmware Number..............

Rating Voltage............... 120 V

Rating Power................. 810 Watt(1350 VA)

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Utility Voltage.............. 121 V

Output Voltage............... 121 V

Battery Capacity............. 100 %

Remaining Runtime............ 133 min.

Load......................... 72 Watt(9 %)

Line Interaction............. None

Test Result.................. Unknown

Last Power Event............. None

Success!

Photo credit: Wikipedia

Apply the STIG to even more operating systems with ansible-hardening

July 21, 2017 By Major Hayden 3 Comments

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests.

The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.

These controls are now applied to an even wider variety of Linux distributions:

CentOS 7
Debian 8 Jessie (new for Pike)
Fedora 25 (new for Pike)
openSUSE Leap 42.2+ (new for Pike)
Red Hat Enterprise Linux 7
SUSE Linux Enterprise 12 (new for Pike)
Ubuntu 14.04 Trusty
Ubuntu 16.04 Xenial

Any patches to the ansible-hardening role are tested against all of these operating systems (except RHEL 7 and SUSE Linux Enterprise). Support for openSUSE testing landed this week.

Work is underway to put the finishing touches on the master branch before the Pike release and we need your help!

If you have any of these operating systems deployed, please test the role on your systems! This is pre-release software, so it’s best to apply it only to a new server. Read the “Getting Started” documentation to get started with ansible-galaxy or git.

Photo credit: Wikipedia

Customize LDAP autocompletion format in Thunderbird

July 18, 2017 By Major Hayden Leave a Comment

Thunderbird can connect to an LDAP server and autocomplete email addresses as you type, but it needs some adjustment for some LDAP servers. One of the LDAP servers that I use regularly returns email addresses like this in the thunderbird interface:

username <firstname.lastname@domain.tld>

1	username <[email protected]>

The email address looks fine, but I’d much rather have the person’s full name instead of the username. Here’s what I’m looking for:

Firstname Lastname <firstname.lastname@domain.tld>

1	Firstname Lastname <[email protected]>

In older Thunderbird versions, setting ldap_2.servers.SERVER_NAME.autoComplete.nameFormat to displayName was enough. However, this option isn’t used in recent versions of Thunderbird.

Digging in

After a fair amount of searching the Thunderbird source code with awk, I found a mention of DisplayName in nsAbLDAPAutoCompleteSearch.js that looked promising:

      // Create a minimal map just for the display name and primary email.
      this._attributes =
        Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]
                  .createInstance(Components.interfaces.nsIAbLDAPAttributeMap);
      this._attributes.setAttributeList("DisplayName",
        this._book.attributeMap.getAttributeList("DisplayName", {}), true);
      this._attributes.setAttributeList("PrimaryEmail",
        this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);
    }

// Create a minimal map just for the display name and primary email.

this._attributes =

Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]

.createInstance(Components.interfaces.nsIAbLDAPAttributeMap);

this._attributes.setAttributeList("DisplayName",

this._book.attributeMap.getAttributeList("DisplayName", {}), true);

this._attributes.setAttributeList("PrimaryEmail",

this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);

}

Something is unusual here. The LDAP field is called displayName, but this attribute is called DisplayName (note the capitalization of the D). Just before that line, I see a lookup in an attributes map of some sort. There may be a configuration option that is called DisplayName.

In Thunderbird, I selected Edit > Preferences. I clicked the Advanced tab and then Config Editor. A quick search for DisplayName revealed an interesting configuration option:

ldap_2.servers.default.attrmap.DisplayName: cn,commonname

1	ldap_2.servers.default.attrmap.DisplayName: cn,commonname

Fixing it

That’s the problem! This needs to map to displayName in my case, and not cn,commonname (which returns a user’s username). There are two different ways to fix this:

# Change it for just one LDAP server
ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName
# Change it for all LDAP servers by default (careful)
ldap_2.servers.default.attrmap.DisplayName: displayName

# Change it for just one LDAP server

ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName

# Change it for all LDAP servers by default (careful)

ldap_2.servers.default.attrmap.DisplayName: displayName

After making the change, quit Thunderbird and relaunch it. Compose a new email and start typing in the email address field. The user’s first and last name should appear!