Package: lightdm
Version: 1.2.2-4
Severity: important
Dear Maintainer,
I have a working authentication configuration with ldap on my debian
wheezy workstation. Everything works fine except with lightdm when a
ldap user have to change his password due to expiration. The user is
able to login but in the next prompt, in place of asking new password,
the ldap administrator password is asked. I've seen i have the same
behaviour when i try to change a ldap user password via passwd as
root.
My nslcd configuration doesn't allow local root user to behave like
ldap administrator.
I've tried with gdm3 greeter and it works; it asks for new password
and it allows to change the password properly.
I've seen this different behaviour in auth.log:
with gdm3:
debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:account): expired password for user
test (password aged)
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
with lightdm:
debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test
debian lightdm: pam_ldap(lightdm:auth): authentication succeeded
debian lightdm: pam_unix(lightdm:account): expired password for user
test (password aged)
debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained
debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not
exist in /etc/passwd
debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user=
debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd
As you can see nslcd authentication have user value set in gdm3.
Lightdm have a blank value instead.
I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to
check if it was a greeter problem but the problem remains with both.
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.8-1+deb7u1
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libpam0g 1.1.3-7.1
ii libxcb1 1.8.1-2+deb7u1
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3~deb7u1
Versions of packages lightdm suggests:
ii accountsservice 0.6.21-8
ii upower 0.9.17-1
nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldap2
uri ldap://ldap1
base passwd ou=people,dc=myorg
base shadow ou=people,dc=myorg
base group ou=groups,dc=myorg
ldap_version 3
binddn cn=reader,dc=myorg
bindpw readerpass
ssl start_tls
tls_reqcert allow
Package: lightdm
Version: 1.2.2-4
Severity: important
Dear Maintainer,
I have a working authentication configuration with ldap on my debian
wheezy workstation. Everything works fine except with lightdm when a
ldap user have to change his password due to expiration. The user is
able to login but in the next prompt, in place of asking new password,
the ldap administrator password is asked. I've seen i have the same
behaviour when i try to change a ldap user password via passwd as
root.
My nslcd configuration doesn't allow local root user to behave like
ldap administrator.
I've tried with gdm3 greeter and it works; it asks for new password
and it allows to change the password properly.
I've seen this different behaviour in auth.log:
with gdm3:
debian gdm3][10414]: pam_ldap( gdm3:auth) : nslcd authentication; user=test gdm3:auth) : authentication succeeded gdm3:account) : expired password for user gdm3:chauthtok) : username [test] obtained gdm3:chauthtok) : user "test" does not gdm3:chauthtok) : nslcd authentication; user=test gdm3:chauthtok) : authentication succeeded gdm3:chauthtok) : username [test] obtained gdm3:chauthtok) : user "test" does not
debian gdm3][10414]: pam_ldap(
debian gdm3][10414]: pam_unix(
test (password aged)
debian gdm3][10414]: pam_unix(
debian gdm3][10414]: pam_unix(
exist in /etc/passwd
debian gdm3][10414]: pam_ldap(
debian gdm3][10414]: pam_ldap(
debian gdm3][10414]: pam_unix(
debian gdm3][10414]: pam_unix(
exist in /etc/passwd
with lightdm:
debian lightdm: pam_ldap( lightdm: auth): nslcd authentication; user=test lightdm: auth): authentication succeeded lightdm: account) : expired password for user lightdm: chauthtok) : username [test] obtained lightdm: chauthtok) : user "test" does not lightdm: chauthtok) : nslcd authentication; user= lightdm: chauthtok) : user not handled by nslcd
debian lightdm: pam_ldap(
debian lightdm: pam_unix(
test (password aged)
debian lightdm: pam_unix(
debian lightdm: pam_unix(
exist in /etc/passwd
debian lightdm: pam_ldap(
debian lightdm: pam_ldap(
As you can see nslcd authentication have user value set in gdm3.
Lightdm have a blank value instead.
I've tried with lightdm-gtk-greeter and lightdm- crowd-greeter just to
check if it was a greeter problem but the problem remains with both.
-- System Information:
Debian Release: 7.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) it_IT.UTF- 8 (charmap=UTF-8)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=
Shell: /bin/sh linked to /bin/dash
Versions of packages lightdm depends on: really2. 32.4-5
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.8-1+deb7u1
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+
ii libpam0g 1.1.3-7.1
ii libxcb1 1.8.1-2+deb7u1
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3~deb7u1
Versions of packages lightdm suggests:
ii accountsservice 0.6.21-8
ii upower 0.9.17-1
-- Configuration Files: lightdm. conf: allow-tcp= false session= lightdm- greeter hide-users= true gnome-session wrapper= /etc/X11/ Xsession
/etc/lightdm/
[LightDM]
[SeatDefaults]
xserver-
greeter-
greeter-
user-session=
session-
[XDMCPServer]
[VNCServer]
enabled=true
port=5900
width=1024
height=768
depth=8
/etc/pam.d/lightdm: /etc/default/ locale unknown= ignore default=bad] unknown= ignore default=bad]
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=
@include common-auth
@include common-account
session [success=ok ignore=ignore module_
pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_
pam_selinux.so open
@include common-password
In addition to these files my configuration is:
nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldap2
uri ldap://ldap1
base passwd ou=people,dc=myorg
base shadow ou=people,dc=myorg
base group ou=groups,dc=myorg
ldap_version 3
binddn cn=reader,dc=myorg
bindpw readerpass
ssl start_tls
tls_reqcert allow
common-auth:
auth [success=5 default=ignore] pam_unix.so nullok_secure debug unavail= ignore default=1] pam_ldap.so
auth [success=3 authinfo_
minimum_uid=1000 use_first_pass debug
auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass
auth [default=bad] pam_ccreds.so action=update
auth requisite pam_deny.so
auth [default=ignore] pam_ccreds.so action=store
auth required pam_permit.so
common-account:
account [success=2 new_authtok_ reqd=done default=ignore] pam_unix.so reqd=done authinfo_unavail=1
account [success=1 new_authtok_
default=ignore] pam_ldap.so minimum_uid=1000 debug
account requisite pam_deny.so
account required pam_permit.so
common-password:
password [success=2 default=ignore] pam_unix.so obscure sha512 debug
password [success=1 new_authtok_reqd=1 default=ignore]
pam_ldap.so minimum_uid=1000 try_first_pass debug
#password [default=1] pam_ldap.so minimum_uid=1000
try_first_pass debug
password requisite pam_deny.so
password required pam_permit.so
common-session:
session [default=ok] pam_permit.so
session [default=ignore] pam_unix.so
session [default=ignore] pam_ldap.so minimum_uid=1000
session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022
-- debconf information: daemon_ name: /usr/sbin/lightdm default- x-display- manager: lightdm
lightdm/
* shared/
Thank you for support.