[Desktop-packages] [Bug 1270118] Re: lightdm ask ldap administrator password when changing an expired password

Robert Ancell Thu, 06 Feb 2014 06:54:14 -0800

** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1270118


Title:
  lightdm ask ldap administrator password when changing an expired
  password

Status in Light Display Manager:
  Triaged
Status in “lightdm” package in Ubuntu:
  Triaged
Status in “lightdm” source package in Precise:
  New
Status in “lightdm” source package in Saucy:
  New
Status in “lightdm” package in Debian:
  Fix Released

Bug description:
  Package: lightdm
  Version: 1.2.2-4
  Severity: important

  Dear Maintainer,
  I have a working authentication configuration with ldap on my debian
  wheezy workstation. Everything works fine except with lightdm when a
  ldap user have to change his password due to expiration. The user is
  able to login but in the next prompt, in place of asking new password,
  the ldap administrator password is asked. I've seen i have the same
  behaviour when i try to change a ldap user password via passwd as
  root.
  My nslcd configuration doesn't allow local root user to behave like
  ldap administrator.
  I've tried with gdm3 greeter and it works; it asks for new password
  and it allows to change the password properly.
  I've seen this different behaviour in auth.log:

  with gdm3:

  debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test
  debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded
  debian gdm3][10414]: pam_unix(gdm3:account): expired password for user
  test (password aged)
  debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
  debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
  exist in /etc/passwd
  debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test
  debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded
  debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
  debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
  exist in /etc/passwd

  with lightdm:

  debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test
  debian lightdm: pam_ldap(lightdm:auth): authentication succeeded
  debian lightdm: pam_unix(lightdm:account): expired password for user
  test (password aged)
  debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained
  debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not
  exist in /etc/passwd
  debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user=
  debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd

  As you can see nslcd authentication have user value set in gdm3.
  Lightdm have a blank value instead.

  I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to
  check if it was a greeter problem but the problem remains with both.

  
  -- System Information:
  Debian Release: 7.3
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable')
  Architecture: i386 (i686)

  Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
  Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
  Shell: /bin/sh linked to /bin/dash

  Versions of packages lightdm depends on:
  ii  adduser                                3.113+nmu3
  ii  consolekit                             0.4.5-3.1
  ii  dbus                                   1.6.8-1+deb7u1
  ii  debconf [debconf-2.0]                  1.5.49
  ii  libc6                                  2.13-38
  ii  libglib2.0-0                           2.33.12+really2.32.4-5
  ii  libpam0g                               1.1.3-7.1
  ii  libxcb1                                1.8.1-2+deb7u1
  ii  libxdmcp6                              1:1.1.1-1
  ii  lightdm-gtk-greeter [lightdm-greeter]  1.1.6-2

  Versions of packages lightdm recommends:
  ii  xserver-xorg  1:7.7+3~deb7u1

  Versions of packages lightdm suggests:
  ii  accountsservice  0.6.21-8
  ii  upower           0.9.17-1

  -- Configuration Files:
  /etc/lightdm/lightdm.conf:
  [LightDM]
  [SeatDefaults]
  xserver-allow-tcp=false
  greeter-session=lightdm-greeter
  greeter-hide-users=true
  user-session=gnome-session
  session-wrapper=/etc/X11/Xsession
  [XDMCPServer]
  [VNCServer]
  enabled=true
  port=5900
  width=1024
  height=768
  depth=8

  /etc/pam.d/lightdm:
  auth    requisite       pam_nologin.so
  auth    required        pam_env.so readenv=1
  auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
  @include common-auth
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad]
  pam_selinux.so close
  session required        pam_limits.so
  session required        pam_loginuid.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad]
  pam_selinux.so open
  @include common-password

  In addition to these files my configuration is:

  nslcd.conf:
  uid nslcd
  gid nslcd
  uri ldap://ldap2
  uri ldap://ldap1
  base passwd ou=people,dc=myorg
  base shadow ou=people,dc=myorg
  base group ou=groups,dc=myorg
  ldap_version 3
  binddn cn=reader,dc=myorg
  bindpw readerpass
  ssl start_tls
  tls_reqcert allow

  common-auth:

  auth    [success=5 default=ignore]      pam_unix.so nullok_secure debug
  auth    [success=3 authinfo_unavail=ignore default=1]   pam_ldap.so
  minimum_uid=1000 use_first_pass debug
  auth    [success=3 default=ignore]  pam_ccreds.so action=validate 
use_first_pass
  auth    [default=bad]   pam_ccreds.so action=update
  auth    requisite                       pam_deny.so
  auth    [default=ignore]  pam_ccreds.so action=store
  auth    required                        pam_permit.so

  common-account:

  account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
  account [success=1 new_authtok_reqd=done authinfo_unavail=1
  default=ignore]     pam_ldap.so minimum_uid=1000 debug
  account requisite                       pam_deny.so
  account required                        pam_permit.so

  common-password:

  password        [success=2 default=ignore]      pam_unix.so obscure sha512 
debug
  password        [success=1 new_authtok_reqd=1 default=ignore]
  pam_ldap.so minimum_uid=1000 try_first_pass debug
  #password       [default=1]     pam_ldap.so minimum_uid=1000
  try_first_pass debug
  password        requisite                       pam_deny.so
  password        required                        pam_permit.so

  common-session:

  session [default=ok] pam_permit.so
  session [default=ignore] pam_unix.so
  session [default=ignore] pam_ldap.so minimum_uid=1000
  session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022

  -- debconf information:
    lightdm/daemon_name: /usr/sbin/lightdm
  * shared/default-x-display-manager: lightdm

  Thank you for support.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1270118/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1270118] Re: lightdm ask ldap administrator password when changing an expired password

Reply via email to