Public bug reported:
Hi,
1) Test system
My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been
fully patched.
libnss-ldap and dependencies have then been installed with Synaptic
package manager using the local administrator account created during
installation of Ubuntu.
/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP
server running on the local network,using ldaps://server:port
nomenclature.
The self-signed certificate from the OpenDJ server has been exported as
a PEM encoded file and saved on the test Ubuntu client at /usr/share/ca-
certificates/server.pem. The file has been made world readable.
At /etc/ldap.conf the certificate has been pointed to accordingly:
TLS_CACERTFILE /usr/share/ca-certificates/server.pem
A dedicated bind account has been created in the LDAP server and this
has been specified in /etc/ldap.conf with the bind password recorded at
/etc/ldap.secret
PAM configuration files at /etc/pam.d have been modified to contain the
following, in order common-account, common-auth, common-password and
common-session:
account sufficient pam_ldap.so
account required pam_unix.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
password sufficient pam_ldap.so nullok
password required pam_unix.so nullok obscure min=4 max=8 md5
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so
/etc/nsswitch.conf has been modified accordingly to contain the following
information:
passwd: files ldap
group: files ldap
shadow: files ldap
LDAP users can log in to the client successfully, and home directories
are created automatically. In LDAP, my test user accounts have been
assigned the gidNumber attribute value of 119 (admin).
2) What I expect to happen
As local administrator (note *not* as an LDAP user), I expect to be able
to launch a Gnome application such as Ubuntu Software Center and have
Policykit validate my credentials correctly such that I can install or
remove applications (or otherwise perform administrative tasks).
3) What happened instead
Logging in to the system as a local administrator, I can launch Ubuntu
Software Center. Upon (for example) attempting to install an
application, I am prompted for my credentials. I enter these (the same
credentials used to log into the system), but they are rejected with an
"Authentication Failure" error.
4) Additional information
Using my Virtualbox host with a combination of snapshots, I have
determined that this oddity appears specifically in this scenario when
secure LDAP is configured on the client. If I modify /etc/ldap.conf and
use plain LDAP, i.e. an insecure connection to my OpenDJ server without
a certificate, then logged in to the test client as a local
administrator I can successfully authenticate to Ubuntu Software Center.
In either scenario, using Synaptic with the same credentials as local
administrator poses no problem.
Policykit version details:
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.96-2ubuntu0.1
Candidate: 0.96-2ubuntu0.1
Version table:
*** 0.96-2ubuntu0.1 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
100 /var/lib/dpkg/status
0.96-2 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages
** Affects: policykit-1 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/892480
Title:
PAM with LDAPS breaks authentication via Policykit to Gnome
applications as local administrator
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892480/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
