severity 407746 serious tags 407746 patch thanks Jamie,
Attached please find a patch which addresses the problems with pam_ldap.conf uri values being lost on upgrade. I'd welcome any testing you can give this patch to confirm that it addresses the problem for you, but as it passes my own tests (and as my own previous NMU included comments describing this exact problem), I'm reasonably confident that it's the correct fix. Stephen, as the host/uri dichotomy has been plaguing us for some time, I've taken the liberty in this patch of switching the default server value from 127.0.0.1 to ldapi:/// -- but that currently isn't going to work out of the box in etch, due to a separate bug in slapd (as documented in the provided changelog entry). We're planning to get that bug fixed in time for release, but please let me know if you'd prefer I leave that change out of any NMU I do. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
diff -u libpam-ldap-180/debian/changelog libpam-ldap-180/debian/changelog --- libpam-ldap-180/debian/changelog +++ libpam-ldap-180/debian/changelog @@ -1,3 +1,21 @@ +libpam-ldap (180-1.7) unstable; urgency=high + + * Non-maintainer upload. + * High-urgency upload for RC bugfix. + * Check for both 'host' and 'uri' in the existing pam_ldap.conf, so + that uri entries aren't incorrectly discarded on upgrade. Also + handle ldapi:/// URIs in the postinst, rather than mistaking this + for a host entry. Closes: #407746. + * Use ldapi:/// as the default server value, not 127.0.0.1, since + ldapi is going to be more efficient than tcp (well, once libldap2 + and slapd are again using a compatible default socket location; see + bug #412781...) + * Incorporate a postinst fix from libnss-ldap, so updates will + preferentially be made to the first *uncommented* instance of the + option in pam_ldap.conf, not just the first instance. + + -- Steve Langasek <[EMAIL PROTECTED]> Wed, 7 Mar 2007 15:30:04 -0800 + libpam-ldap (180-1.6) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. diff -u libpam-ldap-180/debian/config libpam-ldap-180/debian/config --- libpam-ldap-180/debian/config +++ libpam-ldap-180/debian/config @@ -40,8 +40,18 @@ }; if(get("libpam-ldap/override") eq "true") { - # These are the same as with libnss-ldap, lets not touch those.. - read_and_input('shared/ldapns/ldap-server', 'host', 'critical'); + # don't forget to check for any values of 'host' here -- + # it may be better to just prepend 'ldap://' and migrate + # these all to URI so we can deprecate HOST, but for the time + # being this should adequately address our needs + my $value = (grep(/^host\s/, @current_config))[0]; + if ($value) { + chomp($value); + $value =~ s/^host\s+//; + set('shared/ldapns/ldap-server', $value); + } + # These are the same as with libnss-ldap, lets not touch those. + read_and_input('shared/ldapns/ldap-server', 'uri', 'critical'); read_and_input('shared/ldapns/base-dn', 'base', 'critical'); read_and_input('shared/ldapns/ldap_version', 'ldap_version', 'critical'); $ret = go(); # yeah, we don't need that.. but in case we sometime do diff -u libpam-ldap-180/debian/templates libpam-ldap-180/debian/templates --- libpam-ldap-180/debian/templates +++ libpam-ldap-180/debian/templates @@ -89,7 +89,7 @@ Template: shared/ldapns/ldap-server Type: string -Default: 127.0.0.1 +Default: ldapi:/// _Description: LDAP Server host. The address of the LDAP server used. . diff -u libpam-ldap-180/debian/libpam-ldap.postinst libpam-ldap-180/debian/libpam-ldap.postinst --- libpam-ldap-180/debian/libpam-ldap.postinst +++ libpam-ldap-180/debian/libpam-ldap.postinst @@ -35,8 +35,13 @@ # i really need a better way to do this... # currently we replace only the first match, we need a better # way of dealing with multiple hits. - value="$value" parameter="$parameter" perl -i -p -e 's/^#* *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i - and $match=1 unless ($match)' $CONFFILE + if [ "$commented" = "1" ]; then + value="$value" parameter="$parameter" perl -i -p -e 's/^# *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i + and $match=1 unless ($match)' $CONFFILE + else + value="$value" parameter="$parameter" perl -i -p -e 's/^\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i + and $match=1 unless ($match)' $CONFFILE + fi fi } @@ -84,7 +89,7 @@ fi db_get shared/ldapns/ldap-server - if echo $RET | egrep -q '^ldaps?://'; then + if echo $RET | egrep -q '^ldap[is]?://'; then disable_param host change_value uri "$RET" else