Light Display Manager

  1. Bug #1270118
  2. Comment #0

Comment 0 for bug 1270118

Revision history for this message
Gabriel (pecheatwork) wrote :

Package: lightdm
Version: 1.2.2-4
Severity: important

Dear Maintainer,
I have a working authentication configuration with ldap on my debian
wheezy workstation. Everything works fine except with lightdm when a
ldap user have to change his password due to expiration. The user is
able to login but in the next prompt, in place of asking new password,
the ldap administrator password is asked. I've seen i have the same
behaviour when i try to change a ldap user password via passwd as
root.
My nslcd configuration doesn't allow local root user to behave like
ldap administrator.
I've tried with gdm3 greeter and it works; it asks for new password
and it allows to change the password properly.
I've seen this different behaviour in auth.log:

with gdm3:

debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:account): expired password for user
test (password aged)
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd

with lightdm:

debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test
debian lightdm: pam_ldap(lightdm:auth): authentication succeeded
debian lightdm: pam_unix(lightdm:account): expired password for user
test (password aged)
debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained
debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not
exist in /etc/passwd
debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user=
debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd

As you can see nslcd authentication have user value set in gdm3.
Lightdm have a blank value instead.

I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to
check if it was a greeter problem but the problem remains with both.

-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.8-1+deb7u1
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libpam0g 1.1.3-7.1
ii libxcb1 1.8.1-2+deb7u1
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2

Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3~deb7u1

Versions of packages lightdm suggests:
ii accountsservice 0.6.21-8
ii upower 0.9.17-1

-- Configuration Files:
/etc/lightdm/lightdm.conf:
[LightDM]
[SeatDefaults]
xserver-allow-tcp=false
greeter-session=lightdm-greeter
greeter-hide-users=true
user-session=gnome-session
session-wrapper=/etc/X11/Xsession
[XDMCPServer]
[VNCServer]
enabled=true
port=5900
width=1024
height=768
depth=8

/etc/pam.d/lightdm:
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password

In addition to these files my configuration is:

nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldap2
uri ldap://ldap1
base passwd ou=people,dc=myorg
base shadow ou=people,dc=myorg
base group ou=groups,dc=myorg
ldap_version 3
binddn cn=reader,dc=myorg
bindpw readerpass
ssl start_tls
tls_reqcert allow

common-auth:

auth [success=5 default=ignore] pam_unix.so nullok_secure debug
auth [success=3 authinfo_unavail=ignore default=1] pam_ldap.so
minimum_uid=1000 use_first_pass debug
auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass
auth [default=bad] pam_ccreds.so action=update
auth requisite pam_deny.so
auth [default=ignore] pam_ccreds.so action=store
auth required pam_permit.so

common-account:

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done authinfo_unavail=1
default=ignore] pam_ldap.so minimum_uid=1000 debug
account requisite pam_deny.so
account required pam_permit.so

common-password:

password [success=2 default=ignore] pam_unix.so obscure sha512 debug
password [success=1 new_authtok_reqd=1 default=ignore]
pam_ldap.so minimum_uid=1000 try_first_pass debug
#password [default=1] pam_ldap.so minimum_uid=1000
try_first_pass debug
password requisite pam_deny.so
password required pam_permit.so

common-session:

session [default=ok] pam_permit.so
session [default=ignore] pam_unix.so
session [default=ignore] pam_ldap.so minimum_uid=1000
session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022

-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm

Thank you for support.