Bug#670133: marked as done (nslcd: /etc/nslcd.conf's binddn/bindpw removed during upgrade)

Fri, 27 Apr 2012 02:40:46 -0700 

Your message dated Fri, 27 Apr 2012 09:34:46 +0000
with message-id <e1snhze-00057w...@franck.debian.org>
and subject line Bug#670133: fixed in nss-pam-ldapd 0.8.8-1
has caused the Debian Bug report #670133,
regarding nslcd: /etc/nslcd.conf's binddn/bindpw removed during upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
670133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670133
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: nslcd
Version: 0.8.7-1
Severity: critical
Tags: patch
Usertags: pca.it-authentication

Hi there!

Basically, with today's upgrade, my /etc/nslcd.conf was automatically
changed and the LDAP setup completely broke:
=====
root@gismo:/etc# cat /var/log/syslog
[...]
Apr 23 10:27:29 gismo nslcd[5209]: version 0.8.7 starting
Apr 23 10:27:29 gismo nslcd[5209]: accepting connections
Apr 23 10:27:37 gismo nslcd[5209]: [8b4567] <group/member="luca"> ldap_result() 
failed: Insufficient access
[...]

root@gismo:/etc# git log -p -1
commit abc0c29950469771617ffd0be132456669b7d305
Author: Luca Capello <l...@pca.it>
Date:   Mon Apr 23 10:27:35 2012 +0200

    committing changes in /etc after apt run
    
    Package changes:
[...]
    -nslcd 0.8.6-1
    +nslcd 0.8.7-1
[...]
diff --git a/nslcd.conf b/nslcd.conf
index 8ea8f0c..db2131d 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,8 +16,8 @@ base dc=pca,dc=it
 #ldap_version 3
 
 # The DN to bind with for normal lookups.
-binddn HIDDEN
-bindpw HIDDEN
+#binddn HIDDEN
+#bindpw *removed*
 
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
=====

I was quite surprised by that and then discovered the reason:
/etc/nslcd.conf is not a dpkg's conffile (it does not show up with
`dpkg-query -s nslcd`), thus any modification done is not automatically
preserved during upgrades, which is a bug according to
debian-policy_3.9.3.1's ยง 10.7.3:

  <http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.3>

  10.7 Configuration files

  [...]

  10.7.3 Behavior

  Configuration file handling must conform to the following behavior:

    * local changes must be preserved during a package upgrade,

NB, the Severity: of this bug is critical (and not serious) because no
    more LDAP users can work with the system.

Strangely enough, this should have already been fixed by #610117.  Some
debugging and the problem in my case was clear: I did not used
debconf/dpkg-reconfigure to configure nslcd (which is perfectly fine, no
configuration method is mandatory in Debian), thus given that debconf's
nslcd/ldap-auth-type was empty /var/lib/dpkg/info/nslcd.postinst:212
thinks that there is no authentication at all.

This is easily fixed with the following patch, but further investigation
is still needed, given that bindpw is still removed, again if you do not
use debconf/dpkg-reconfigure:

--8<---------------cut here---------------start------------->8---
--- nslcd.postinst.ORG  2012-04-23 01:22:29.000000000 +0200
+++ nslcd.postinst      2012-04-23 12:04:15.180373883 +0200
@@ -211,6 +211,10 @@
   update_config nslcd/ldap-base base
   db_get nslcd/ldap-auth-type
   authtype="$RET"
+  db_get nslcd/ldap-binddn
+  if [ -n "$RET" ] && [ "$authtype" = none ]; then
+    authtype=simple
+  fi
   case "$authtype" in
   simple)
     update_config nslcd/ldap-binddn binddn
--8<---------------cut here---------------end--------------->8---

The problem is present on the debconf's side as well, reproducible with:
=====
root@gismo:/etc# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
  nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
  nslcd/ldap-auth-type: none
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
  nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: HIDDEN
  nslcd/ldap-sasl-authcid:
  nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
  nslcd/ldap-sasl-authzid:

root@gismo:/etc# git diff
diff --git a/nslcd.conf b/nslcd.conf
index db2131d..2984a50 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,8 +16,8 @@ base dc=pca,dc=it
 #ldap_version 3

 # The DN to bind with for normal lookups.
-#binddn HIDDEN
-#bindpw *removed*
+binddn test
+bindpw test

 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com

root@gismo:/etc# dpkg-reconfigure nslcd
[...]

root@gismo:/etc# git diff | less
diff --git a/nslcd.conf b/nslcd.conf
index db2131d..41b888f 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -16,7 +16,7 @@ base dc=pca,dc=it
 #ldap_version 3

 # The DN to bind with for normal lookups.
-#binddn HIDDEN
+#binddn test
 #bindpw *removed*

 # The DN used for password modifications by root.

root@gismo:/etc# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
  nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: none
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
  nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: test
  nslcd/ldap-sasl-authcid:
  nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
  nslcd/ldap-sasl-authzid:

root@gismo:/etc#
=====

It seems the /etc/nslcd.conf handling is in some way broken :-(

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nslcd depends on:
ii  adduser                3.113+nmu1
ii  debconf [debconf-2.0]  1.5.42
ii  libc6                  2.13-30
ii  libgssapi-krb5-2       1.10+dfsg~beta1-2
ii  libldap-2.4-2          2.4.28-1.2

Versions of packages nslcd recommends:
ii  bind9-host [host]           1:9.8.1.dfsg.P1-4
ii  host                        1:9.8.1.dfsg.P1-4
ii  ldap-utils                  2.4.28-1.2
ii  libnss-ldapd [libnss-ldap]  0.8.7-1
ii  libpam-ldapd [libpam-ldap]  0.8.7-1
ii  nscd                        2.13-30

Versions of packages nslcd suggests:
pn  kstart  <none>

-- debconf information:
  nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
  nslcd/ldap-auth-type: none
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://ldap.pca.it
  nslcd/ldap-sasl-secprops:
* nslcd/ldap-binddn: HIDDEN
  nslcd/ldap-sasl-authcid:
  nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=pca,dc=it
  nslcd/ldap-sasl-authzid:

Attachment: pgpTJkkdBFvws.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: nss-pam-ldapd
Source-Version: 0.8.8-1

We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.8.8-1_i386.deb
  to main/n/nss-pam-ldapd/libnss-ldapd_0.8.8-1_i386.deb
libpam-ldapd_0.8.8-1_i386.deb
  to main/n/nss-pam-ldapd/libpam-ldapd_0.8.8-1_i386.deb
nslcd_0.8.8-1_i386.deb
  to main/n/nss-pam-ldapd/nslcd_0.8.8-1_i386.deb
nss-pam-ldapd_0.8.8-1.debian.tar.gz
  to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.8-1.debian.tar.gz
nss-pam-ldapd_0.8.8-1.dsc
  to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.8-1.dsc
nss-pam-ldapd_0.8.8.orig.tar.gz
  to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 670...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adej...@debian.org> (supplier of updated nss-pam-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Apr 2012 11:20:00 +0200
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.8.8-1
Distribution: unstable
Urgency: low
Maintainer: Arthur de Jong <adej...@debian.org>
Changed-By: Arthur de Jong <adej...@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
 libpam-ldapd - PAM module for using LDAP as an authentication service
 nslcd      - Daemon for NSS and PAM lookups using LDAP
Closes: 669680 670133 670419
Changes: 
 nss-pam-ldapd (0.8.8-1) unstable; urgency=low
 .
   * new upstream release:
     - fix a problem in the handling of PAM requests in nslcd (closes: #670419)
     - install the ldapns.schema in nslcd docs (closes: #669680)
   * use the configuration file contents to determine the authentication
     type, not the debconf database (closes: #670133)
   * switch PAM account type to primary because it now does all the
     authorisation checks that pam_unix also does
   * drop functionality to check whether shadow information is exposed
     in /etc/nsswitch.conf, it was no longer needed sine 0.8.4
   * ensure that /var/run/nslcd is not removed during upgrades
Checksums-Sha1: 
 69563a30a974136131cbb87336e7d892b498c36d 1510 nss-pam-ldapd_0.8.8-1.dsc
 d607eb2c17b7fc757aaa52f14035bca6998fdcde 473002 nss-pam-ldapd_0.8.8.orig.tar.gz
 42a5ad7d85f9b1bda141f479b6c057774066b4f2 87920 
nss-pam-ldapd_0.8.8-1.debian.tar.gz
 3077b2486e120092a409a5f77aa3a22a037dec9a 167332 nslcd_0.8.8-1_i386.deb
 08dc3680ec96027ba8dfcbcb313afb0deb6bf837 62522 libnss-ldapd_0.8.8-1_i386.deb
 570a954ea18dab4186a74d5e39f335f06401cb74 48528 libpam-ldapd_0.8.8-1_i386.deb
Checksums-Sha256: 
 7ca72718f690a1541d649264c0f14271d4a5e50a546ffce9efb3edaff6833830 1510 
nss-pam-ldapd_0.8.8-1.dsc
 880538e5507992b9067f5b20e7e290f8bd3a994569b3f41b4db5047775bb73fa 473002 
nss-pam-ldapd_0.8.8.orig.tar.gz
 f2b213241a04327414d8d29fe73e2d089c10d04f8dc34a426669126cdbf1d00c 87920 
nss-pam-ldapd_0.8.8-1.debian.tar.gz
 7944b85352509d6ab880ce459ecc3c99a72b3a3ae8b34d9fc1bf7eeb0a8fb198 167332 
nslcd_0.8.8-1_i386.deb
 08af8fdb8c9e946ca20095990b139b3cb3a9a3fc2342133c6129dc6c43b792db 62522 
libnss-ldapd_0.8.8-1_i386.deb
 eb039bf2af608cd4d4562801f29309815d518cc5c98185ec42af3977c0a8d86f 48528 
libpam-ldapd_0.8.8-1_i386.deb
Files: 
 2bd6ad2a5e0f18f6b98b589c3965f0e8 1510 admin extra nss-pam-ldapd_0.8.8-1.dsc
 50e4ac6180275b9c2287e4323a1cd4c6 473002 admin extra 
nss-pam-ldapd_0.8.8.orig.tar.gz
 b34be877d35aa919692cd4d6d46ac729 87920 admin extra 
nss-pam-ldapd_0.8.8-1.debian.tar.gz
 e488d7f4dbff689c4a811dd42b55fe25 167332 admin extra nslcd_0.8.8-1_i386.deb
 f3b771f2a2ccc0afeddecf6d0a49adc0 62522 admin extra 
libnss-ldapd_0.8.8-1_i386.deb
 0306c547cbfeb99c73f254d0bf27d791 48528 admin extra 
libpam-ldapd_0.8.8-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk+aZjEACgkQVYan35+NCKd09ACeJbkgP4LtGvMpTbtUqJ87Asnj
G1UAn3xegRhOvG1icSSqxP2i5C3HPrLu
=k5DB
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to