Ubuntu
ldap-auth-client package

Running "auth-client-config -p lac_ldap" gives error (2)

Bug #295008 reported by PaulSchulz
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)
Won't Fix
Undecided
Unassigned
ldap-auth-client (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

In: Ubuntu intrepid 8.10 (auth-client-config 0.9)

The following error is displayed when running the "auth-client-config" tool with the ldap
profiles as distributed.
-------------------------------------------------
auth-client-config -a -p lac_ldap
Error in updating the file: 'pam_account' not found
--
Errors found. Aborting (no changes made)

------------------------------------------------

This appears to be because the file '/etc/auth-client-config/profile.d/ldap-auth-config' is now missing entries to configure pam files.

This used to work on 8.04.

Work-around: Copy the previous profile file from ubuntu 8.04. (auth-client-config 0.6.1)

.. in addition.. (should i raise another bug on this?)
to get LDAP client authentication working properly I also had to edit
/etc/ldap.conf manually and set the following parameters:

  nss_base_passwd
  nss_base_shadow
  nss_base_group

.. then it worked.

Revision history for this message
PaulSchulz (paulschulz) wrote :

The missing lines are:
---------------------------------
pam_auth=auth sufficient pam_ldap.so
 auth required pam_unix.so nullok_secure use_first_pass
pam_account=account sufficient pam_ldap.so
 account required pam_unix.so
pam_password=password sufficient pam_ldap.so
 password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
 session required pam_mkhomedir.so skel=/etc/skel/
 session optional pam_ldap.so
 session optional pam_foreground.so

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is not a bug in auth-client-config. ldap-auth-config supplies the lac_ldap profile. ldap-auth-config now utilizes the new pam_auth_update framework, which is why there are no pam entries in the file. It does still ship an NSS profile, which can be used by auth-client-config like so:
$ sudo auth-client-config -t nss -p lac_ldap

Revision history for this message
PaulSchulz (paulschulz) wrote :

Hi Jamie, thanks for that..

So my question is then:
- What now the 'correct' way of adding these lines to my PAM configuration
  (given that auth-client-config no longer does this).
- I still need to manually update the nss_base_ options in /etc/ldap.conf
  Shouldn't this be manged by debconf?

Are you aware of whether these questions are being addressed?
I would like to make hooking into an LDAP authentication server something that
is really easy to do...

Revision history for this message
John Florian (j100) wrote :

Paul,

I'm no expert on this, but digging through the changelogs, it appears that this is now a two step process. The first step is to update NSS as Jamie showed above. The second step is to update PAM, which it looks like you can do via:
$ sudo pam-auth-update ldap

HTH

Revision history for this message
tavasti (tavasti) wrote :

This bug is also in Lucid (10.04).

Revision history for this message
gmarcon (gmarcon) wrote :

Same bug in Ubuntu 11.04 (natty)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in auth-client-config (Ubuntu):
status: New → Confirmed
Changed in ldap-auth-client (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is not a bug in auth-client-config. It is being called as:
$ auth-client-config -a -p lac_ldap

However, /etc/auth-client-config/profile.d/ldap-auth-config does not contain any PAM entries, only nss. The '-a' option is meant to apply 'all types', ie, 'nss' and 'pam_*'. When the types aren't present, then use -t <type>. Eg:
$ auth-client-config -p lac_ldap -t nss

Changed in auth-client-config (Ubuntu):
status: Confirmed → Won't Fix
Changed in ldap-auth-client (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.