Bug#407746: libpam-ldap upgrade breaks pam_ldap.conf and can't login

Wed, 07 Mar 2007 16:49:43 -0800 

severity 407746 serious
tags 407746 patch
thanks

Jamie,

Attached please find a patch which addresses the problems with pam_ldap.conf
uri values being lost on upgrade.  I'd welcome any testing you can give this
patch to confirm that it addresses the problem for you, but as it passes my
own tests (and as my own previous NMU included comments describing this
exact problem), I'm reasonably confident that it's the correct fix.

Stephen, as the host/uri dichotomy has been plaguing us for some time, I've
taken the liberty in this patch of switching the default server value from
127.0.0.1 to ldapi:/// -- but that currently isn't going to work out of the
box in etch, due to a separate bug in slapd (as documented in the provided
changelog entry).  We're planning to get that bug fixed in time for release,
but please let me know if you'd prefer I leave that change out of any NMU I
do.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

diff -u libpam-ldap-180/debian/changelog libpam-ldap-180/debian/changelog
--- libpam-ldap-180/debian/changelog
+++ libpam-ldap-180/debian/changelog
@@ -1,3 +1,21 @@
+libpam-ldap (180-1.7) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * High-urgency upload for RC bugfix.
+  * Check for both 'host' and 'uri' in the existing pam_ldap.conf, so
+    that uri entries aren't incorrectly discarded on upgrade.  Also
+    handle ldapi:/// URIs in the postinst, rather than mistaking this
+    for a host entry.  Closes: #407746.
+  * Use ldapi:/// as the default server value, not 127.0.0.1, since
+    ldapi is going to be more efficient than tcp (well, once libldap2
+    and slapd are again using a compatible default socket location; see
+    bug #412781...)
+  * Incorporate a postinst fix from libnss-ldap, so updates will
+    preferentially be made to the first *uncommented* instance of the
+    option in pam_ldap.conf, not just the first instance.
+
+ -- Steve Langasek <[EMAIL PROTECTED]>  Wed,  7 Mar 2007 15:30:04 -0800
+
 libpam-ldap (180-1.6) unstable; urgency=low
 
   * Non-maintainer upload to fix pending l10n issues.
diff -u libpam-ldap-180/debian/config libpam-ldap-180/debian/config
--- libpam-ldap-180/debian/config
+++ libpam-ldap-180/debian/config
@@ -40,8 +40,18 @@
 };
 
 if(get("libpam-ldap/override") eq "true") {
-	# These are the same as with libnss-ldap, lets not touch those..
-	read_and_input('shared/ldapns/ldap-server', 'host', 'critical');
+	# don't forget to check for any values of 'host' here --
+	# it may be better to just prepend 'ldap://' and migrate
+	# these all to URI so we can deprecate HOST, but for the time
+	# being this should adequately address our needs
+	my $value = (grep(/^host\s/, @current_config))[0];
+	if ($value) {
+		chomp($value);
+		$value =~ s/^host\s+//;
+		set('shared/ldapns/ldap-server', $value);
+	}
+	# These are the same as with libnss-ldap, lets not touch those.
+	read_and_input('shared/ldapns/ldap-server', 'uri', 'critical');
 	read_and_input('shared/ldapns/base-dn', 'base', 'critical');
 	read_and_input('shared/ldapns/ldap_version', 'ldap_version', 'critical');
 	$ret = go();  # yeah, we don't need that.. but in case we sometime do
diff -u libpam-ldap-180/debian/templates libpam-ldap-180/debian/templates
--- libpam-ldap-180/debian/templates
+++ libpam-ldap-180/debian/templates
@@ -89,7 +89,7 @@
 
 Template: shared/ldapns/ldap-server
 Type: string
-Default: 127.0.0.1
+Default: ldapi:///
 _Description: LDAP Server host.
  The address of the LDAP server used.
  .
diff -u libpam-ldap-180/debian/libpam-ldap.postinst libpam-ldap-180/debian/libpam-ldap.postinst
--- libpam-ldap-180/debian/libpam-ldap.postinst
+++ libpam-ldap-180/debian/libpam-ldap.postinst
@@ -35,8 +35,13 @@
 		# i really need a better way to do this...
 		# currently we replace only the first match, we need a better
 		# way of dealing with multiple hits.
-		value="$value" parameter="$parameter" perl -i -p -e 's/^#* *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i
-			and $match=1 unless ($match)' $CONFFILE
+		if [ "$commented" = "1" ]; then
+			value="$value" parameter="$parameter" perl -i -p -e 's/^# *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i
+				and $match=1 unless ($match)' $CONFFILE
+		else
+			value="$value" parameter="$parameter" perl -i -p -e 's/^\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i
+				and $match=1 unless ($match)' $CONFFILE
+		fi
 	fi
 }
 
@@ -84,7 +89,7 @@
 	fi
 
 	db_get shared/ldapns/ldap-server
-	if echo $RET | egrep -q '^ldaps?://'; then
+	if echo $RET | egrep -q '^ldap[is]?://'; then
 		disable_param host
 		change_value uri "$RET"
 	else

Reply via email to