Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Thomas Wallrafen]

Package: nslcd
Version: 0.9.4-3+deb8u2
Severity: grave
Justification: renders package unusable

Dear Maintainer,

after upgrading Debian Jessie to release 8.7 (from 8.6)the package nslcd
renders unusable because the nslcd daemon fails to start

The error message as reported by /var/log/daemon.log is:

Jan 16 11:45:28 v303855 nslcd[20591]: Starting LDAP connection daemon:
nslcdnslcd: /etc/nslcd.conf:52: tls_cacertfile: too may arguments

Which references the setting
tls_cacertfile dir /etc/ssl/certs/

The aforementioned setting is probably added to the file via the
postinstall script of the nslcd package.  If one removes the line
tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and runs
# dpkg --configrue -a
the line reappers and nslcd is still unable to start.

Regards

Thomas Wallrafen


-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages nslcd depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  libc6  2.19-18+deb8u7
ii  libgssapi-krb5-2   1.12.1+dfsg-19+deb8u2
ii  libldap-2.4-2  2.4.40+dfsg-1+deb8u2

Versions of packages nslcd recommends:
ii  bind9-host [host]   1:9.9.5.dfsg-9+deb8u9
ii  ldap-utils  2.4.40+dfsg-1+deb8u2
iu  libnss-ldapd [libnss-ldap]  0.9.4-3+deb8u2
ii  libpam-ldap 184-8.7+b1
ii  nscd2.19-18+deb8u7
iu  nslcd-utils 0.9.4-3+deb8u2

Versions of packages nslcd suggests:
pn  kstart  

-- debconf information excluded

Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Thomas Wallrafen]

Hi,

On Mon, Jan 16, 2017 at 12:31:24PM +0100, Arthur de Jong wrote:
> Hi,
>
> On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote:
> > The aforementioned setting is probably added to the file via the
> > postinstall script of the nslcd package.  If one removes the line
> > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and
> > runs
> > # dpkg --configrue -a
> > the line reappers and nslcd is still unable to start.
>
> Can you post your whole nslcd.conf file?

See the attached ncslcd.conf file (the version before the
upgrade). After the upgrade there is another line added at the end
which reads
tls_cacertfile dir /etc/ssl/certs/

> Previously there was a
> tls_cacert option that got renamed to tls_cacertfile. There is also a
> tls_cacertdir option but that should not be used on Debian.
>
> Also can you provide your debconf settings from
>
> # debconf-get-selections | grep ^nslcd | grep -v password

output as follows:

nslcd   nslcd/ldap-binddn   string  cn="Ldap Bind",cn=Users,dc=auth,redacted
nslcd   nslcd/ldap-starttls boolean false
nslcd   nslcd/disable-screensaver   error
nslcd   nslcd/ldap-sasl-krb5-ccname string  /var/run/nslcd/nslcd.tkt
nslcd   nslcd/xdm-needs-restart error
nslcd   nslcd/ldap-base string  dc=auth,redacted
nslcd   nslcd/ldap-reqcert  select  never
nslcd   nslcd/ldap-sasl-authzid string
nslcd   nslcd/restart-services  string
nslcd   nslcd/ldap-uris string  ldaps://host1.redacted ldaps://host2.redacted
nslcd   nslcd/ldap-auth-typeselect  simple
nslcd   nslcd/ldap-sasl-authcid string
nslcd   nslcd/ldap-sasl-realm   string
nslcd   nslcd/ldap-sasl-mechselect
nslcd   libraries/restart-without-askingboolean false
nslcd   nslcd/restart-failederror
nslcd   nslcd/ldap-sasl-secpropsstring
nslcd   nslcd/ldap-cacertfile   string  dir /etc/ssl/certs/



Regards

Thomas
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://host1.redacted
uri ldaps://host2.redacted



# The search base that will be used for all queries.
base dc=auth,dc=redacted

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn="Ldap Bind",cn=Users,dc=redacted
bindpw redacted

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl on
tls_cacertdir /etc/ssl/certs/
tls_reqcert never

# The search scope.
scope sub

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd 
(&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
mappasswd uid  sAMAccountName
mappasswd homeDirectoryunixHomeDirectory
mappasswd gecosdisplayName

filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
mapshadow uid  sAMAccountName
mapshadow shadowLastChange pwdLastSet

filter group  (&(objectClass=group)(gidNumber=*))