2014-01-17 11:08:57 |
Gabriel |
bug |
|
|
added bug |
2014-01-17 11:10:30 |
Gabriel |
tags |
|
ldap |
|
2014-01-22 17:04:21 |
Giulio Turetta |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735670 |
|
2014-01-22 17:04:21 |
Giulio Turetta |
bug task added |
|
lightdm (Debian) |
|
2014-01-22 17:05:54 |
Gabriel |
lightdm: status |
New |
Confirmed |
|
2014-01-22 17:11:45 |
Giulio Turetta |
bug |
|
|
added subscriber Yves-Alexis Perez |
2014-01-22 17:22:42 |
Gabriel |
information type |
Public |
Private |
|
2014-01-22 17:26:16 |
Gabriel |
removed subscriber Yves-Alexis Perez |
|
|
|
2014-01-22 17:26:16 |
Gabriel |
removed subscriber Giulio Turetta |
|
|
|
2014-01-22 17:32:02 |
Bug Watch Updater |
lightdm (Debian): status |
Unknown |
Confirmed |
|
2014-01-22 23:51:27 |
William Grant |
removed subscriber Launchpad Debian Maintainers |
|
|
|
2014-01-24 09:35:46 |
Gabriel |
bug |
|
|
added subscriber Giulio Turetta |
2014-01-24 09:50:27 |
Giulio Turetta |
bug |
|
|
added subscriber Yves-Alexis Perez |
2014-01-24 11:34:29 |
Giulio Turetta |
attachment added |
|
patch file for Wheezy https://bugs.launchpad.net/lightdm/+bug/1270118/+attachment/3955811/+files/05_fix-for-ldap.patch |
|
2014-01-27 13:06:00 |
Sebastien Bacher |
lightdm: assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-03 04:57:51 |
Bug Watch Updater |
lightdm (Debian): status |
Confirmed |
Fix Released |
|
2014-02-06 09:29:31 |
Robert Ancell |
bug task added |
|
lightdm (Ubuntu) |
|
2014-02-06 09:29:38 |
Robert Ancell |
lightdm (Ubuntu): status |
New |
Triaged |
|
2014-02-06 09:29:41 |
Robert Ancell |
lightdm (Ubuntu): importance |
Undecided |
Medium |
|
2014-02-06 09:29:42 |
Robert Ancell |
lightdm: importance |
Undecided |
Medium |
|
2014-02-06 09:29:44 |
Robert Ancell |
lightdm: status |
Confirmed |
Triaged |
|
2014-02-06 09:31:54 |
Robert Ancell |
nominated for series |
|
Ubuntu Precise |
|
2014-02-06 09:31:54 |
Robert Ancell |
bug task added |
|
lightdm (Ubuntu Precise) |
|
2014-02-06 09:31:54 |
Robert Ancell |
nominated for series |
|
Ubuntu Saucy |
|
2014-02-06 09:31:54 |
Robert Ancell |
bug task added |
|
lightdm (Ubuntu Saucy) |
|
2014-02-06 14:31:00 |
Robert Ancell |
bug |
|
|
added subscriber Seth Arnold |
2014-02-06 14:31:13 |
Robert Ancell |
bug |
|
|
added subscriber Steve Beattie |
2014-02-06 14:43:11 |
Robert Ancell |
information type |
Private |
Public |
|
2014-02-06 14:52:55 |
Robert Ancell |
nominated for series |
|
lightdm/1.2 |
|
2014-02-06 14:52:55 |
Robert Ancell |
bug task added |
|
lightdm/1.2 |
|
2014-02-06 14:52:55 |
Robert Ancell |
nominated for series |
|
lightdm/1.8 |
|
2014-02-06 14:52:55 |
Robert Ancell |
bug task added |
|
lightdm/1.8 |
|
2014-02-06 14:52:55 |
Robert Ancell |
nominated for series |
|
lightdm/1.4 |
|
2014-02-06 14:52:55 |
Robert Ancell |
bug task added |
|
lightdm/1.4 |
|
2014-02-06 14:53:06 |
Robert Ancell |
lightdm/1.2: status |
New |
Triaged |
|
2014-02-06 14:53:08 |
Robert Ancell |
lightdm/1.4: status |
New |
Triaged |
|
2014-02-06 14:53:12 |
Robert Ancell |
lightdm/1.2: importance |
Undecided |
Medium |
|
2014-02-06 14:53:15 |
Robert Ancell |
lightdm/1.8: importance |
Undecided |
Medium |
|
2014-02-06 14:53:19 |
Robert Ancell |
lightdm (Ubuntu Precise): importance |
Undecided |
Medium |
|
2014-02-06 14:53:25 |
Robert Ancell |
lightdm (Ubuntu Saucy): status |
New |
Triaged |
|
2014-02-06 14:53:28 |
Robert Ancell |
lightdm (Ubuntu Saucy): importance |
Undecided |
Medium |
|
2014-02-06 14:53:31 |
Robert Ancell |
lightdm (Ubuntu Precise): status |
New |
Triaged |
|
2014-02-06 14:53:39 |
Robert Ancell |
lightdm/1.4: importance |
Undecided |
Medium |
|
2014-02-06 14:53:41 |
Robert Ancell |
lightdm/1.8: status |
New |
Triaged |
|
2014-02-06 15:04:32 |
Launchpad Janitor |
branch linked |
|
lp:~robert-ancell/lightdm/chauthtok |
|
2014-02-06 15:07:52 |
Gabriel |
information type |
Public |
Private |
|
2014-02-06 15:11:32 |
Gabriel |
removed subscriber Giulio Turetta |
|
|
|
2014-02-06 15:11:32 |
Gabriel |
removed subscriber Steve Beattie |
|
|
|
2014-02-06 15:11:32 |
Gabriel |
removed subscriber Seth Arnold |
|
|
|
2014-02-06 15:11:32 |
Gabriel |
removed subscriber Yves-Alexis Perez |
|
|
|
2014-02-06 15:42:56 |
Robert Ancell |
lightdm/1.8: milestone |
|
1.8.7 |
|
2014-02-06 15:43:57 |
Robert Ancell |
lightdm/1.4: milestone |
|
1.4.6 |
|
2014-02-06 15:44:19 |
Robert Ancell |
lightdm/1.2: milestone |
|
1.2.7 |
|
2014-02-06 15:44:43 |
Robert Ancell |
lightdm: milestone |
|
1.9.7 |
|
2014-02-06 15:47:19 |
Robert Ancell |
lightdm/1.2: assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-06 15:47:21 |
Robert Ancell |
lightdm/1.4: assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-06 15:47:22 |
Robert Ancell |
lightdm/1.8: assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-06 16:41:04 |
PS Jenkins bot |
lightdm: status |
Triaged |
Fix Committed |
|
2014-02-06 16:58:12 |
Launchpad Janitor |
branch linked |
|
lp:lightdm/1.8 |
|
2014-02-06 17:01:47 |
Launchpad Janitor |
branch linked |
|
lp:lightdm/1.4 |
|
2014-02-06 17:20:46 |
Robert Ancell |
lightdm (Ubuntu Precise): assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-06 17:20:51 |
Robert Ancell |
lightdm (Ubuntu Precise): status |
Triaged |
In Progress |
|
2014-02-06 17:20:53 |
Robert Ancell |
lightdm/1.8: status |
Triaged |
Fix Committed |
|
2014-02-06 17:20:55 |
Robert Ancell |
lightdm/1.4: status |
Triaged |
Fix Committed |
|
2014-02-06 17:20:57 |
Robert Ancell |
lightdm/1.2: status |
Triaged |
Fix Committed |
|
2014-02-06 17:21:36 |
Launchpad Janitor |
branch linked |
|
lp:lightdm/1.2 |
|
2014-02-06 18:11:33 |
Robert Ancell |
lightdm/1.8: status |
Fix Committed |
Fix Released |
|
2014-02-06 18:11:51 |
Robert Ancell |
lightdm/1.4: status |
Fix Committed |
Fix Released |
|
2014-02-06 18:11:54 |
Robert Ancell |
lightdm/1.2: status |
Fix Committed |
Fix Released |
|
2014-02-07 15:37:07 |
Robert Ancell |
description |
Package: lightdm
Version: 1.2.2-4
Severity: important
Dear Maintainer,
I have a working authentication configuration with ldap on my debian
wheezy workstation. Everything works fine except with lightdm when a
ldap user have to change his password due to expiration. The user is
able to login but in the next prompt, in place of asking new password,
the ldap administrator password is asked. I've seen i have the same
behaviour when i try to change a ldap user password via passwd as
root.
My nslcd configuration doesn't allow local root user to behave like
ldap administrator.
I've tried with gdm3 greeter and it works; it asks for new password
and it allows to change the password properly.
I've seen this different behaviour in auth.log:
with gdm3:
debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:account): expired password for user
test (password aged)
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
with lightdm:
debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test
debian lightdm: pam_ldap(lightdm:auth): authentication succeeded
debian lightdm: pam_unix(lightdm:account): expired password for user
test (password aged)
debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained
debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not
exist in /etc/passwd
debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user=
debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd
As you can see nslcd authentication have user value set in gdm3.
Lightdm have a blank value instead.
I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to
check if it was a greeter problem but the problem remains with both.
-- System Information:
Debian Release: 7.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.8-1+deb7u1
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libpam0g 1.1.3-7.1
ii libxcb1 1.8.1-2+deb7u1
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3~deb7u1
Versions of packages lightdm suggests:
ii accountsservice 0.6.21-8
ii upower 0.9.17-1
-- Configuration Files:
/etc/lightdm/lightdm.conf:
[LightDM]
[SeatDefaults]
xserver-allow-tcp=false
greeter-session=lightdm-greeter
greeter-hide-users=true
user-session=gnome-session
session-wrapper=/etc/X11/Xsession
[XDMCPServer]
[VNCServer]
enabled=true
port=5900
width=1024
height=768
depth=8
/etc/pam.d/lightdm:
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
In addition to these files my configuration is:
nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldap2
uri ldap://ldap1
base passwd ou=people,dc=myorg
base shadow ou=people,dc=myorg
base group ou=groups,dc=myorg
ldap_version 3
binddn cn=reader,dc=myorg
bindpw readerpass
ssl start_tls
tls_reqcert allow
common-auth:
auth [success=5 default=ignore] pam_unix.so nullok_secure debug
auth [success=3 authinfo_unavail=ignore default=1] pam_ldap.so
minimum_uid=1000 use_first_pass debug
auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass
auth [default=bad] pam_ccreds.so action=update
auth requisite pam_deny.so
auth [default=ignore] pam_ccreds.so action=store
auth required pam_permit.so
common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done authinfo_unavail=1
default=ignore] pam_ldap.so minimum_uid=1000 debug
account requisite pam_deny.so
account required pam_permit.so
common-password:
password [success=2 default=ignore] pam_unix.so obscure sha512 debug
password [success=1 new_authtok_reqd=1 default=ignore]
pam_ldap.so minimum_uid=1000 try_first_pass debug
#password [default=1] pam_ldap.so minimum_uid=1000
try_first_pass debug
password requisite pam_deny.so
password required pam_permit.so
common-session:
session [default=ok] pam_permit.so
session [default=ignore] pam_unix.so
session [default=ignore] pam_ldap.so minimum_uid=1000
session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022
-- debconf information:
lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm
Thank you for support. |
[Impact]
LightDM does not correctly use PAM to change users passwords when they expire. This causes some PAM modules (e.g. pam_ldap) to not correctly perform password changing.
[Test Case]
1. Setup LDAP logins
2. Expire users password
3. Attempt to log into greeter
Expected result:
- User is prompted to change password. Password limitations are correctly enforced.
Observed result:
- User is prompted to change password. Password limitations are not correctly enforced.
[Regression Potential]
Any PAM module that relied on the previous incorrect behaviour might behave differently. It is not expected that any module would intentionally do this. |
|
2014-02-07 15:37:16 |
Robert Ancell |
information type |
Private |
Public |
|
2014-02-07 15:50:59 |
Robert Ancell |
lightdm: status |
Fix Committed |
Fix Released |
|
2014-02-07 15:51:13 |
Robert Ancell |
lightdm (Ubuntu): status |
Triaged |
In Progress |
|
2014-02-07 15:51:15 |
Robert Ancell |
lightdm (Ubuntu): assignee |
|
Robert Ancell (robert-ancell) |
|
2014-02-07 16:21:31 |
Ubuntu Foundations Team Bug Bot |
tags |
ldap |
ldap patch |
|
2014-02-07 16:21:42 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2014-02-07 16:28:29 |
Launchpad Janitor |
lightdm (Ubuntu): status |
In Progress |
Fix Released |
|
2014-04-17 21:43:46 |
Brian Murray |
lightdm (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2014-04-17 21:43:50 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-04-17 21:43:54 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2014-04-17 21:44:00 |
Brian Murray |
tags |
ldap patch |
ldap patch verification-needed |
|
2014-05-06 06:28:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/lightdm |
|
2014-05-06 06:28:47 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/lightdm |
|
2014-07-09 21:47:20 |
Bartosz Kosiorek |
tags |
ldap patch verification-needed |
ldap patch verification-done |
|
2014-07-09 21:47:39 |
Bartosz Kosiorek |
lightdm (Ubuntu Precise): assignee |
Robert Ancell (robert-ancell) |
Bartosz Kosiorek (gang65) |
|
2014-07-09 21:47:44 |
Bartosz Kosiorek |
lightdm (Ubuntu): assignee |
Robert Ancell (robert-ancell) |
Bartosz Kosiorek (gang65) |
|
2014-07-10 07:54:30 |
Colin Watson |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2014-07-10 07:54:29 |
Launchpad Janitor |
lightdm (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2014-07-10 08:08:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-updates/lightdm |
|
2014-12-05 06:43:04 |
Rolf Leggewie |
lightdm (Ubuntu Saucy): status |
Triaged |
Won't Fix |
|