[Cooker] Re2: pam_ldap-164-1mdk - bug report
Buchan Milne wrote: Scott, please file a bug on this so we can track it. I would love to, but same old story... I haven't been able to file a bug report through bugzilla @ qa.mandrakesoft.com for over 8 months now, with several messages sent to [EMAIL PROTECTED], warly, as well as copying to cooker list, (hoping to get someone's attension) - oh, well... Please note that some issues are affected by certificate validation issues, I am currently running some cooker boxes without ssl in /etc/ldap.conf, and/or disabled cert validation. [Vince, the cert validation issue also affects the openldap packages on 9.1. I mentioned this before, and I have discovered that the problem I had attributed to TinyCA is a general problem with cert validation (in the case you don't use self-signed certs). I will file a seperate bug on openldap, but I would like your input on it)] I am not running openldap with ssl (yet) so I haven't seen any of those types of issues. In cases where you have a system ldap user (with same uid) the system password is changed, when the ldap password should be changed (not good)... Any ideas? Hmm, we don't have any local user accounts any more (everything is in LDAP besides emergency accounts on boxes which don't allow local root login). Please upload a copy of your /etc/pam.d/system-auth file to your bug report. Done. (Actually I will copy what I tried to post to bugzilla. Expecting it wouldn't go, I saved a copy.) Thanks again! S Bug report: Reporter: [EMAIL PROTECTED] Product: pam_ldap Version: 164-1mdk (current) 148-2mdk 148-3mdk 156-1mdk 161-1mdk 161-2mdk 164-1mdk (current) Component: documentation :Problem in the documentation included in the package i18n :Problem of internationalisation/translation in the package packaging :Problem in installing, removing or updating the package pam_ldap :NSS library and PAM module for LDAP. program :Problem in using programs included in the package Architecture: All DEC HP Macintosh PC SGI Sun Other Priority: P1 P2 P3 P4 P5 Severity: blocker critical major normal minor trivial enhancement Assigned To: (Leave blank to assign to default component owner) Cc: URL: Warning: please write in english only Summary: Description: In cases where you have a system ldap user (with same uid) the system password is changed, when the ldap password should have been changed (not good)... Not sure exactally where the issue is, but pam_ldap-161-1.1mdk works (in conjunction) with both nss_ldap-204-1.1mdk 207-1mdk. Additional Info: /etc/pam.d/system-auth -- #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 ucredit=0 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so /etc/pam.d/passwd - #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_pwdb.so shadow nullok account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_pwdb.so use_authtok nullok md5 shadow Text version: In cases where you have a system ldap user (with same uid) the system password is changed, when the ldap password should have been changed (not good)... Not sure exactally where the issue is, but pam_ldap-161-1.1mdk works (in conjunction) with both nss_ldap-204-1.1mdk 207-1mdk. Additional Info: /etc/pam.d/system-auth -- #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account
Re: [Cooker] Re2: pam_ldap-164-1mdk - bug report
Florin wrote: Howdi, Simply send me an email and explain what's going on ... and I will try to fix the problem cheers, I have everything set to auth against pam (including saslauthd) which should be pretty normal. (I used the ldap guide from mandrakesecure as a guide). Prior to 164-1 being added to cooker, I was using 161-2 (currently I've had to downgrade to 161-1.1 from mdk91 updates) and it is working without issue. I have a few user accounts that exist as both a system user ldap user. Currently (using 161-1.1) when I use /usr/bin/passwd to change the password of one of these users, the ldap password is updated (not the password stored in /etc/shadow) which is correct behavior (as I believe). When I updated pam_ldap to 164-1 and tried to change passwords, the system password is changed, and the ldap password is not (incorrect behavior). I did not see anything logged to syslog about the failure (and actually passwd didn't fail) its just that the ldap password was not updated. Of note, 161-1.1 works with either version of nss_ldap (204-1.1 207-1). I have had no issues with nss_ldap. I posted /etc/pam.d/system-auth passwd in original post, but can resend if required. Sorry if this isn't much help, but I really haven't got a clue were to look next. Thanks, S
Re: [Cooker] Re2: pam_ldap-164-1mdk - bug report
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 magic wrote: Florin wrote: Howdi, Simply send me an email and explain what's going on ... and I will try to fix the problem cheers, I have everything set to auth against pam (including saslauthd) which should be pretty normal. (I used the ldap guide from mandrakesecure as a guide). Prior to 164-1 being added to cooker, I was using 161-2 (currently I've had to downgrade to 161-1.1 from mdk91 updates) and it is working without issue. I have a few user accounts that exist as both a system user ldap user. Currently (using 161-1.1) when I use /usr/bin/passwd to change the password of one of these users, the ldap password is updated (not the password stored in /etc/shadow) which is correct behavior (as I believe). When I updated pam_ldap to 164-1 and tried to change passwords, the system password is changed, and the ldap password is not (incorrect behavior). I did not see anything logged to syslog about the failure (and actually passwd didn't fail) its just that the ldap password was not updated. Of note, 161-1.1 works with either version of nss_ldap (204-1.1 207-1). I have had no issues with nss_ldap. I posted /etc/pam.d/system-auth passwd in original post, but can resend if required. Sorry if this isn't much help, but I really haven't got a clue were to look next. Can you please try changing your password lines in /etc/pam.d/system-auth to use use_first_pass as an option to pam_ldap? If this does not work, please also try changing the order of the pam_unix and pam_ldap password lines. If this does change the behaviour, it may mean pam_ldap isn't reading /etc/pam.d/passwd correctly. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/M94trJK6UGDSBKcRAnWEAJ9zzV7MMbIC17DDWZd0KeMb6uumOQCfffv8 xgbE1Z1Oi03d+DLb1oxJ5zI= =ANGG -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] Re2: pam_ldap-164-1mdk - bug report
Howdi, Simply send me an email and explain what's going on ... and I will try to fix the problem cheers, [EMAIL PROTECTED] (magic) writes: This is a multi-part message in MIME format. --080204070108020107050403 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Buchan Milne wrote: Scott, please file a bug on this so we can track it. I would love to, but same old story... I haven't been able to file a bug report through bugzilla @ qa.mandrakesoft.com for over 8 months now, with several messages sent to [EMAIL PROTECTED], warly, as well as copying to cooker list, (hoping to get someone's attension) - oh, well... Please note that some issues are affected by certificate validation issues, I am currently running some cooker boxes without ssl in /etc/ldap.conf, and/or disabled cert validation. [Vince, the cert validation issue also affects the openldap packages on 9.1. I mentioned this before, and I have discovered that the problem I had attributed to TinyCA is a general problem with cert validation (in the case you don't use self-signed certs). I will file a seperate bug on openldap, but I would like your input on it)] I am not running openldap with ssl (yet) so I haven't seen any of those types of issues. In cases where you have a system ldap user (with same uid) the system password is changed, when the ldap password should be changed (not good)... Any ideas? Hmm, we don't have any local user accounts any more (everything is in LDAP besides emergency accounts on boxes which don't allow local root login). Please upload a copy of your /etc/pam.d/system-auth file to your bug report. Done. (Actually I will copy what I tried to post to bugzilla. Expecting it wouldn't go, I saved a copy.) Thanks again! S Bug report: *Reporter:* [EMAIL PROTECTED] *Product:* pam_ldap *Version:**Component describecomponents.cgi?product=pam_ldap: * *Architecture bug_status.html#rep_platform: * *Priority bug_status.html#priority: * *Severity bug_status.html#bug_severity: * *Assigned To bug_status.html#assigned_to: * (Leave blank to assign to default component owner) *Cc:* *URL:* *Warning: please write in english only* *Summary:* *Description:* Text version: In cases where you have a system ldap user (with same uid) the system password is changed, when the ldap password should have been changed (not good)... Not sure exactally where the issue is, but pam_ldap-161-1.1mdk works (in conjunction) with both nss_ldap-204-1.1mdk 207-1mdk. Additional Info: /etc/pam.d/system-auth -- #%PAM-1.0 authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok authsufficient/lib/security/pam_ldap.so use_first_pass authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient/lib/security/pam_ldap.so passwordrequired /lib/security/pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 ucredit=0 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so /etc/pam.d/passwd - #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_pwdb.so shadow nullok accountsufficient /lib/security/pam_ldap.so accountrequired /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_pwdb.so use_authtok nullok md5 shadow --080204070108020107050403 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN html head meta http-equiv=Content-Type content=text/html;charset=ISO-8859-1 title/title /head body text=#00 bgcolor=#ff Buchan Milne wrote:br blockquote type=cite cite=[EMAIL PROTECTED] pre wrap=Scott, please file a bug on this so we can track it. /pre /blockquote br nbsp;nbsp; I would love to, but same old story...br br nbsp;nbsp; I haven't been able to file a bug report through bugzilla @ qa.mandrakesoft.com for over 8 months now, with several messages sent to a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/a, warly, as well as copying to cooker list, (hoping to get someone's attension) -