Package: libnss-ldap
Version: 251-7.5etch1
Followup-For: Bug #455907
My co-location box uses ldap for user accounts and openssh has been patched
to yank SSH keys from LDAP too. After updating[1] it blatted my old
'uri' parameter into the 'host' variable...which does not accept ldapi://
entries. The result, much login death :-/
Attached is an example of what happens for me.
Could you please please remember to try to squeeze this update in next time
round (although it looks like the security team jumped out and did this?)
so that it does not kill us 'etch' users incase libnss-ldap has to be
updated for security reasons again?
Cheers
Alex
[1] I recall this problem last time I updating libnss-ldap (in a
dist-upgrade to 'etch') and looking through the current bug reports
all the following seem related (all fixed I'm guess by #408440[2]):
* 375069
* 391785
* 411923
* 415576
* 416664
* 419519
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408440
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: sparc (sparc64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.21.5-grsec
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages libnss-ldap depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries
ii libldap2 2.1.30-13.3 OpenLDAP libraries
Versions of packages libnss-ldap recommends:
ii libpam-ldap 180-1.7 Pluggable Authentication Module al
ii nscd 2.3.6.ds1-13etch2 GNU C Library: Name Service Cache
-- debconf information:
* libnss-ldap/dblogin: true
libnss-ldap/override: true
* shared/ldapns/base-dn: dc=wormnet,dc=eu
* shared/ldapns/ldap-server: ldapi://%2fvar%2frun%2fldapi/
* libnss-ldap/confperm: true
* libnss-ldap/rootbinddn: cn=admin,dc=wormnet,dc=eu
* shared/ldapns/ldap_version: 3
* libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libnss-ldap/nsswitch:
* libnss-ldap/dbrootlogin: true
--- /etc/libnss-ldap.conf 2007-12-17 15:39:07.591994125 +0000
+++ libnss-ldap.conf 2007-12-17 15:40:19.912868474 +0000
@@ -18,7 +18,7 @@
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
-#host ldapi://%2fvar%2frun%2fldapi/
+host ldapi://%2fvar%2frun%2fldapi/
# The distinguished name of the search base.
base dc=wormnet,dc=eu
@@ -26,7 +26,7 @@
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
-uri ldapi://%2fvar%2frun%2fldapi/
+#uri ldapi://%2fvar%2frun%2fldapi/
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
