Package: nslcd Version: 0.8.7-1 Severity: critical Tags: patch Usertags: pca.it-authentication
Hi there!
Basically, with today's upgrade, my /etc/nslcd.conf was automatically
changed and the LDAP setup completely broke:
=====
root@gismo:/etc# cat /var/log/syslog
[...]
Apr 23 10:27:29 gismo nslcd[5209]: version 0.8.7 starting
Apr 23 10:27:29 gismo nslcd[5209]: accepting connections
Apr 23 10:27:37 gismo nslcd[5209]: [8b4567] <group/member="luca"> ldap_result()
failed: Insufficient access
[...]
root@gismo:/etc# git log -p -1
commit abc0c29950469771617ffd0be132456669b7d305
Author: Luca Capello <l...@pca.it>
Date: Mon Apr 23 10:27:35 2012 +0200
committing changes in /etc after apt run
Package changes:
[...]
-nslcd 0.8.6-1
+nslcd 0.8.7-1
[...]
diff --git a/nslcd.conf b/nslcd.conf
index 8ea8f0c..db2131d 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,8 +16,8 @@ base dc=pca,dc=it
#ldap_version 3
# The DN to bind with for normal lookups.
-binddn HIDDEN
-bindpw HIDDEN
+#binddn HIDDEN
+#bindpw *removed*
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
=====
I was quite surprised by that and then discovered the reason:
/etc/nslcd.conf is not a dpkg's conffile (it does not show up with
`dpkg-query -s nslcd`), thus any modification done is not automatically
preserved during upgrades, which is a bug according to
debian-policy_3.9.3.1's ยง 10.7.3:
<http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.3>
10.7 Configuration files
[...]
10.7.3 Behavior
Configuration file handling must conform to the following behavior:
* local changes must be preserved during a package upgrade,
NB, the Severity: of this bug is critical (and not serious) because no
more LDAP users can work with the system.
Strangely enough, this should have already been fixed by #610117. Some
debugging and the problem in my case was clear: I did not used
debconf/dpkg-reconfigure to configure nslcd (which is perfectly fine, no
configuration method is mandatory in Debian), thus given that debconf's
nslcd/ldap-auth-type was empty /var/lib/dpkg/info/nslcd.postinst:212
thinks that there is no authentication at all.
This is easily fixed with the following patch, but further investigation
is still needed, given that bindpw is still removed, again if you do not
use debconf/dpkg-reconfigure:
--8<---------------cut here---------------start------------->8---
--- nslcd.postinst.ORG 2012-04-23 01:22:29.000000000 +0200
+++ nslcd.postinst 2012-04-23 12:04:15.180373883 +0200
@@ -211,6 +211,10 @@
update_config nslcd/ldap-base base
db_get nslcd/ldap-auth-type
authtype="$RET"
+ db_get nslcd/ldap-binddn
+ if [ -n "$RET" ] && [ "$authtype" = none ]; then
+ authtype=simple
+ fi
case "$authtype" in
simple)
update_config nslcd/ldap-binddn binddn
--8<---------------cut here---------------end--------------->8---
The problem is present on the debconf's side as well, reproducible with:
=====
root@gismo:/etc# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
nslcd/ldap-auth-type: none
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: HIDDEN
nslcd/ldap-sasl-authcid:
nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
nslcd/ldap-sasl-authzid:
root@gismo:/etc# git diff
diff --git a/nslcd.conf b/nslcd.conf
index db2131d..2984a50 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,8 +16,8 @@ base dc=pca,dc=it
#ldap_version 3
# The DN to bind with for normal lookups.
-#binddn HIDDEN
-#bindpw *removed*
+binddn test
+bindpw test
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
root@gismo:/etc# dpkg-reconfigure nslcd
[...]
root@gismo:/etc# git diff | less
diff --git a/nslcd.conf b/nslcd.conf
index db2131d..41b888f 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,7 +16,7 @@ base dc=pca,dc=it
#ldap_version 3
# The DN to bind with for normal lookups.
-#binddn HIDDEN
+#binddn test
#bindpw *removed*
# The DN used for password modifications by root.
root@gismo:/etc# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: none
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: test
nslcd/ldap-sasl-authcid:
nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
nslcd/ldap-sasl-authzid:
root@gismo:/etc#
=====
It seems the /etc/nslcd.conf handling is in some way broken :-(
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nslcd depends on:
ii adduser 3.113+nmu1
ii debconf [debconf-2.0] 1.5.42
ii libc6 2.13-30
ii libgssapi-krb5-2 1.10+dfsg~beta1-2
ii libldap-2.4-2 2.4.28-1.2
Versions of packages nslcd recommends:
ii bind9-host [host] 1:9.8.1.dfsg.P1-4
ii host 1:9.8.1.dfsg.P1-4
ii ldap-utils 2.4.28-1.2
ii libnss-ldapd [libnss-ldap] 0.8.7-1
ii libpam-ldapd [libpam-ldap] 0.8.7-1
ii nscd 2.13-30
Versions of packages nslcd suggests:
pn kstart <none>
-- debconf information:
nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
nslcd/ldap-auth-type: none
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: HIDDEN
nslcd/ldap-sasl-authcid:
nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
nslcd/ldap-sasl-authzid:
pgpUgsBjHFuCW.pgp
Description: PGP signature
