Bug#700971: nslcd mangles config file upon update
Package: nslcd Version: 0.7.15+squeeze3 Severity: grave This may be related/the same as #696445. I didn't want to hijack the thread with an unrelated bug just in case. I do believe this (and the other bug should be tagged as grave). This essentially locks you out of ssh (if you rely on a user within ldap) upon next nslcd restart/reboot. Depending on your setup (remote/cloud etc), this can effectively render your machine useless. This may have existed for a while and not be related to the recent update. I thought someone was screwing with nslcd.conf and not telling me when they realised it broke but it was probably updating that did it. Originally: nslcd: 0.7.15+squeeze2 file: nslcd.orig After installing nslcd: 0.7.15+squeeze3 file nslcd.conf diff nslcd.* 16c16 < base ou=groups,dc=example,dc=com --- > base ou=users,ou=users,dc=example,dc=com I'm attaching md5sums so you can validate you have exact copies. 33a27616d645dba2309cc2747f29e400 nslcd.conf cfc79d3f9958a994ff6a302b5e894976 nslcd.orig nslcd.conf Description: Binary data nslcd.orig Description: Binary data
Bug#700971: nslcd mangles config file upon update
On Tue, 2013-02-19 at 21:29 +, Mark Cunningham wrote: > Originally: > nslcd: 0.7.15+squeeze2 > file: nslcd.orig > > After installing > nslcd: 0.7.15+squeeze3 > file nslcd.conf > > diff nslcd.* > 16c16 > < base ou=groups,dc=example,dc=com > --- > > base ou=users,ou=users,dc=example,dc=com Thanks, this provides some information to go on. Do you happen to have information from debconf after and perhaps before the upgrade? The configuration can be dumped with: debconf-show nslcd If you don't have a backup of /var/cache/debconf/ it could be that an config.dat-old file is present with different information. Do you remember if there were any debconf prompts during the upgrade? Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#700971: nslcd mangles config file upon update
Before install, i get the defaults i configured when installed the package. I set these to non used variables and created the nslcd.conf myself. * nslcd/ldap-bindpw: (password omitted) * nslcd/ldap-starttls: false * nslcd/ldap-base: dc=example,dc=net/ * nslcd/ldap-reqcert: * nslcd/ldap-uris: ldap://127.0.0.1/ * nslcd/ldap-binddn: And after * nslcd/ldap-bindpw: (password omitted) * nslcd/ldap-starttls: false * nslcd/ldap-base: ou=groups,dc=example,dc=com * nslcd/ldap-reqcert: * nslcd/ldap-uris: ldap://ldap.example.com * nslcd/ldap-binddn: cn=nslcd,ou=ldapclient1,ou=machines,dc=example,dc=com If i understand the process, are debian scripts actually parsing out options that you've configured and attempting to regenerate the config file? Should it not be done the same as any other package with a changed config file. You're prompted to install the package maintaner's version or keep your own and have the ability of doing a diff. Not to mention there doesn't actually seem to be any changes needed in this case. Why even attempt to mess with the config file at all? Mark On Wed, Feb 20, 2013 at 8:37 PM, Arthur de Jong wrote: > On Tue, 2013-02-19 at 21:29 +, Mark Cunningham wrote: >> Originally: >> nslcd: 0.7.15+squeeze2 >> file: nslcd.orig >> >> After installing >> nslcd: 0.7.15+squeeze3 >> file nslcd.conf >> >> diff nslcd.* >> 16c16 >> < base ou=groups,dc=example,dc=com >> --- >> > base ou=users,ou=users,dc=example,dc=com > > Thanks, this provides some information to go on. Do you happen to have > information from debconf after and perhaps before the upgrade? The > configuration can be dumped with: > debconf-show nslcd > > If you don't have a backup of /var/cache/debconf/ it could be that an > config.dat-old file is present with different information. Do you > remember if there were any debconf prompts during the upgrade? > > Thanks, > > -- > -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#700971: nslcd mangles config file upon update
Control: fixed -1 0.8.5 Control: tags -1 + patch On Thu, 2013-02-21 at 01:09 +, Mark Cunningham wrote: > Before install, i get the defaults i configured when installed the > package. I set these to non used variables and created the nslcd.conf > myself. I've been able to find the problem: the package configuration scripts don't do the modifications properly when an option is specified multiple times in nslcd.conf. This is allowed for the base keyword. When reading the configuration file, the last value from the configuration file is used but when writing back the changes the first option is replaced. This was fixed in 0.8.5 to both read and write the first option only which means the configuration should no longer be mangled in those cases (debconf configuration still doesn't support configuring with multiple base options though). The change that went into 0.8.5 is here: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1567&view=revision Attached is a patch which has basically the same change for 0.7.15+squeeze3. Also, the 0.8 packaging has been updated to be more robust in parsing and writing the configuration. Btw, in nslcd.conf you currently have: base ou=users,ou=users,dc=example,dc=com base ou=groups,dc=example,dc=com while this is probably what is meant: base passwd ou=users,ou=users,dc=example,dc=com base group ou=groups,dc=example,dc=com The way is more efficient because if you have two base statements two searches are always performed. > If i understand the process, are debian scripts actually parsing out > options that you've configured and attempting to regenerate the config > file? Yes. The package tries to guess reasonable defaults during installation (e.g. if libnss_ldap was installed before, look in DNS for a likely search base, etc.). The package also supports managing most common configurations with: dpkg-reconfigure nslcd The package also supports pre-seeding (setting site-wide defaults for automated installation). If a configuration file is already in place it should take the values of the configuration file instead of using pre-seeded or guessed values. > Should it not be done the same as any other package with a changed > config file. You're prompted to install the package maintaner's > version or keep your own and have the ability of doing a diff. Not to > mention there doesn't actually seem to be any changes needed in this > case. Why even attempt to mess with the config file at all? It is a little more complicated than that. When managing configuration files as described you will not get prompts to install the maintainer's version (the two mechanisms are mutually exclusive). Hope this clarifies a few things. Thanks for the bug report and providing the detailed information that made it possible to track down this issue. I will try to get this into an update for squeeze if possible. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- Property changes on: . ___ Modified: svn:mergeinfo Merged /nss-pam-ldapd:r1566 Index: debian/nslcd.config === --- debian/nslcd.config (revision 1926) +++ debian/nslcd.config (working copy) @@ -78,7 +78,7 @@ if [ -z "$uris" ] then hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"` - port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1` + port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | head -n 1` for host in $hosts do if [ -z "$port" ] || (echo "$host" | grep -q ':' ) @@ -95,21 +95,21 @@ db_get nslcd/ldap-base if [ -z "$RET" ] then -searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` +searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1` [ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase" fi # find binddn db_get nslcd/ldap-binddn if [ -z "$RET" ] then -binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1` +binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | head -n 1` db_set nslcd/ldap-binddn "$binddn" fi # find bindpw db_get nslcd/ldap-bindpw if [ -z "$RET" ] then -bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1` +bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | head -n 1` db_set nslcd/ldap-bindpw "$bindpw" fi # check ssl option @@ -128,7 +128,7 @@ db_get nslcd/ldap-reqcert if [ -z "$RET" ] then -reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1` +reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | head -n 1` # normalise value reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/;s/^hard$/demand/'` [ -
Processed: Re: Bug#700971: nslcd mangles config file upon update
Processing control commands: > fixed -1 0.8.5 Bug #700971 [nslcd] nslcd mangles config file upon update Marked as fixed in versions nss-pam-ldapd/0.8.5. > tags -1 + patch Bug #700971 [nslcd] nslcd mangles config file upon update Added tag(s) patch. -- 700971: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
