Your message dated Tue, 28 Feb 2023 15:13:40 +0000
with message-id <[email protected]>
and subject line Bug#1032123: Removed package(s) from unstable
has caused the Debian Bug report #583483,
regarding libpam-ldap: allow any LDAP users even when pam_check_host_attr
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
583483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-ldap
Version: 184-8.5
Severity: normal
Tags: patch
Hi there!
Cc:ing the libpam and libnss-ldapd's maintainers because of #583492,
read below.
I recently added the 'host' attribute to an OpenLDAP setup and I was
activating the libpam-ldap's pam_check_host_attr as explained at
<http://wiki.debian.org/LDAP/PAM>, section "Allowing logins on a
per-host basis".
On a lenny system, adding the lines from the wiki section "PAM setup
with pam_ldap" is enough to have the 'host' attribute checked before
login:
--8<---------------cut here---------------start------------->8---
# /etc/pam.d/common-account - authorization settings common to all services
## http://wiki.debian.org/LDAP/PAM
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 10000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
--8<---------------cut here---------------end--------------->8---
On sid, however, while I was quite happy than I had nothing to touch to
have LDAP authentication working automatically by default, the
libpam-ldap's pam_check_host_attr seems to not work at all:
--8<---------------cut here---------------start------------->8--- #
/etc/pam.d/common-account - authorization settings common to all
services
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
--8<---------------cut here---------------end--------------->8---
FYI, with the lenny configuration file on sid everything is fine.
I read the PAM documentation, but I still do not understand what is
wrong with the default configuration. Could this be related to
<http://bugs.debian.org/583492>? I guess so, given that libpam-ldapd's
pam.d/common-account configuration works as expected, with the big
difference being that the pam_ldap's profile is Additional and not
Primary:
--8<---------------cut here---------------start------------->8---
diff --git a/pam.d/common-account b/pam.d/common-account
index 95537e3..f499c71 100644
--- a/pam.d/common-account
+++ b/pam.d/common-account
@@ -14,8 +14,7 @@
#
# here are the per-package modules (the "Primary" block)
-account [success=2 new_authtok_reqd=done default=ignore]
pam_unix.so
-account [success=1 default=ignore] pam_ldap.so
+account [success=1 new_authtok_reqd=done default=ignore]
pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
@@ -23,4 +22,5 @@ account requisite pam_deny.so
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
+account [success=ok user_unknown=ignore default=bad]
pam_ldap.so
# end of pam-auth-update config
--8<---------------cut here---------------end--------------->8---
Given that AFAIK libpam-ldapd does not support the pam_check_host_attr
(wishlist bug?), I am quite reluctant to switch to it. I know I should
be able to implement that in /etc/nslcd.conf (via the 'filter' or
'pam_authz_search' options), but it is not so straightforward as
libpam-ldap ;-)
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.36-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-ldap depends on:
ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
libpam-ldap recommends no packages.
Versions of packages libpam-ldap suggests:
ii libnss-ldapd [libnss-ldap] 0.7.13 NSS module for using LDAP as a nam
-- debconf information:
* shared/ldapns/base-dn: dc=pca,dc=it
* shared/ldapns/ldap-server: ldap://ldap.pca.it
libpam-ldap/pam_password: crypt
libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libpam-ldap/rootbinddn: cn=admin,dc=pca,dc=it
* libpam-ldap/dbrootlogin: true
libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: false
pgpcFApV8Qryu.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 186-4.1+rm
Dear submitter,
as the package libpam-ldap has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1032123
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
