Package: libnss-ldap Version: 251-7.5etch1 Followup-For: Bug #455907
My co-location box uses ldap for user accounts and openssh has been patched to yank SSH keys from LDAP too. After updating[1] it blatted my old 'uri' parameter into the 'host' variable...which does not accept ldapi:// entries. The result, much login death :-/ Attached is an example of what happens for me. Could you please please remember to try to squeeze this update in next time round (although it looks like the security team jumped out and did this?) so that it does not kill us 'etch' users incase libnss-ldap has to be updated for security reasons again? Cheers Alex [1] I recall this problem last time I updating libnss-ldap (in a dist-upgrade to 'etch') and looking through the current bug reports all the following seem related (all fixed I'm guess by #408440[2]): * 375069 * 391785 * 411923 * 415576 * 416664 * 419519 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408440 -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: sparc (sparc64) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.21.5-grsec Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages libnss-ldap depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries ii libldap2 2.1.30-13.3 OpenLDAP libraries Versions of packages libnss-ldap recommends: ii libpam-ldap 180-1.7 Pluggable Authentication Module al ii nscd 2.3.6.ds1-13etch2 GNU C Library: Name Service Cache -- debconf information: * libnss-ldap/dblogin: true libnss-ldap/override: true * shared/ldapns/base-dn: dc=wormnet,dc=eu * shared/ldapns/ldap-server: ldapi://%2fvar%2frun%2fldapi/ * libnss-ldap/confperm: true * libnss-ldap/rootbinddn: cn=admin,dc=wormnet,dc=eu * shared/ldapns/ldap_version: 3 * libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net * libnss-ldap/nsswitch: * libnss-ldap/dbrootlogin: true
--- /etc/libnss-ldap.conf 2007-12-17 15:39:07.591994125 +0000 +++ libnss-ldap.conf 2007-12-17 15:40:19.912868474 +0000 @@ -18,7 +18,7 @@ # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). -#host ldapi://%2fvar%2frun%2fldapi/ +host ldapi://%2fvar%2frun%2fldapi/ # The distinguished name of the search base. base dc=wormnet,dc=eu @@ -26,7 +26,7 @@ # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. -uri ldapi://%2fvar%2frun%2fldapi/ +#uri ldapi://%2fvar%2frun%2fldapi/ #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/