Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-08-27 Thread Arthur de Jong 
On Fri, 2022-02-18 at 19:11 -0800, Ryan Tandy wrote:
> I removed "pwdMustChange: TRUE" from the policy and then the tests 
> passed. Not sure if this is the correct fix, but at least I don't 
> currently see anything in test_pamcmds.expect that would be expecting
> a forced reset?

Applying this change makes the autopkgtest pass again (this change has
just been merged in Git). That means that the expected functionality of
nss-pam-ldapd is tested properly.

The tests currently don't test the forced password reset by the user
functionality (presence of pwdReset on a user account) and it seems
that exact behaviour differs between LDAP server implementations (the
password policy controls differ and the return code of the BIND
operation may also differ).

It seems that currently nslcd (default configuration) rejects the login
if a password change is needed on OpenLDAP 2.5. This can be worked
around by setting "pam_authc_search NONE" in nslcd.conf which should
not cause issues with most OpenLDAP LDAP servers.

I plan to upload a new version of the package soon. If anyone has any
concerns regarding e.g. insufficient testing of the above use case,
please let me know.

Kind regards,

-- 
-- arthur - adej...@debian.org - https://people.debian.org/~adejong --



signature.asc
Description: This is a digitally signed message part

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-05-27 Thread Petter Reinholdtsen 
[Salvatore Bonaccorso 2022-04-25]
> Are there any news on this bug? nss-pam-ldapd is currently hinted for
> removal from testing due to this bug (not happened yet though).

Today the debian-fbx and kwartz-client packages was removed from testing
because they depend on nss-pam-ldapd, due to the latters RC issue.  Any
hope to have a fixed version of nss-pam-ldapd in unstable soon?
-- 
Happy hacking
Petter Reinholdtsen

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-04-25 Thread Salvatore Bonaccorso 
Hi Arthur,

On Fri, Feb 18, 2022 at 07:11:24PM -0800, Ryan Tandy wrote:
> Hi Arthur,
> 
> sorry for the long delayed followup.
> 
> On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote:
> > > However the test_pamcmds script fails with the new version. The login
> > > with the correct password fails, the issue seems to be (from
> > > nslcd.log):
> > > 
> > > nslcd: [a88611]  DEBUG: got 
> > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
> > > nslcd: [a88611]  DEBUG: 
> > > myldap_search(base="cn=Veronica 
> > > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", 
> > > filter="(objectClass=*)")
> > > nslcd: [a88611]  ldap_result() failed: Insufficient 
> > > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify 
> > > password
> > > 
> > > Still looking into it, not sure why the new ppolicy wants the
> > > password changed after it was just reset earlier.
> > 
> > Do you know at which step this failed in the test_pamcmds test? In
> > general I found ppolicy controls during authentication to be somewhat
> > confusing, especially when a password was about to expire or needed to
> > be changed.
> 
> It failed on "testing correct password".
> 
> I think the behaviour change is due to ITS#7084:
> 
> https://bugs.openldap.org/show_bug.cgi?id=7084
> https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8
> 
> With OpenLDAP 2.5, when the user's password is changed in reset_password(),
> they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE
> and the change is done by the administrator. Exactly like you said, the bind
> succeeds but then the search is not permitted. I can't remember whether
> nss-pam-ldapd is supposed to show a "password must be changed now" prompt in
> this case?
> 
> With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding.  I
> think the user is forced to change their password only if pwdMustChange and
> pwdReset are both set.
> 
> I removed "pwdMustChange: TRUE" from the policy and then the tests passed.
> Not sure if this is the correct fix, but at least I don't currently see
> anything in test_pamcmds.expect that would be expecting a forced reset?

Are there any news on this bug? nss-pam-ldapd is currently hinted for
removal from testing due to this bug (not happened yet though).

Regards,
Salvatore