Ctrl+Alt+F7 bypasses the light-locker lock-screen under XFCE

Alex Denvir subscribed, as he's the one who bought this to my attention.

With light-locker running, you can switch back to VT7, but it will block your access to the running session there and automatically redirect you to VT8.

So yeah, going to a new VT is expected and part of the plan. If you don't have light-locker running, then of course this will be a problem, because your session will be unlocked and unprotected (as with any other screenlocker, it only works when installed ;)).

Hi Simon,

Unfortunately, this isn't happening. I'm able to switch to VT7 and use the machine. (my access is not blocked to the running session)

(I'm currently setting up a VM to test this on, but, If need be, I'll film what's happening and upload that :))

Changing to incomplete, as I can confirm that this is happening. Invalid would mean I'm wrong. As I can provide documentary evidence regarding this, I'll mark it as complete until I do so :)

As you might have noticed, I only marked it as invalid against xubuntu-meta, as it is not a bug in that component.

This issue is caused by Polkit not correctly working when box is installed as an LDAP client.

Please:
- Report to <http://www.openldap.org/its/>.
- Paste the new report URL here.
- Set this bug status back to confirmed.

Thank you.

Please, also repeat the above with <https://bugs.freedesktop.org/> against PolicyKit.

Can;t seem to link the openldap bug, so

http://www.openldap.org/its/index.cgi/Incoming?id=8025

As I noted in our ITS#8025, this has nothing to do with upstream OpenLDAP. It may be specific to the particular way you built OpenLDAP in your distro, or it may be due to pam_ldap itself, but neither of these are in the purview of the OpenLDAP Project. Certainly there is nothing in vanilla OpenLDAP source code that operates at a low enough system level to interfere with screen blanking or locking.

Howard, It's having the usernames come from ldap, rather than the local system, that causes policykit to have weird stuff happen, that causes screen locking. It's all interconnected :)

The bug isn't in the parts individually, but in the integration of them all.

Try replacing pam-ldap/nss-ldap with nslcd and/or nssov and see if the problem persists. I'd bet it doesn't. See here https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/84 for reasons why you should have abandoned pam-ldap/nss-ldap years ago.

Switching to libpam-ldapd and nslcd have fixed this issue. I've marked this as an issue against libpam-ldap.

https://github.com/opscode-cookbooks/openldap/issues/44 <-- this has been filed, as this is why we ended up with the outdated package

Might be related to bug 781737. pam-ldap/nss-ldap dropping privileges is, AFAIK, caused by libgcrypt (bug 423252). If this is the same bug, then the pending openldap merge (bug 1395098) will resolve it, as gcrypt will no longer be used. But switching to nss-pam-ldapd is a good recommendation anyway, since the older modules are dead upstream.

On Fri, Jan 16, 2015 at 18:05:04 -0000, Ryan Tandy wrote:
> will no longer be used. But switching to nss-pam-ldapd is a good
> recommendation anyway, since the older modules are dead upstream.

(In fact there is discussion underway regarding downgrading libnss-ldap
and libpam-ldap out of main; see LP: #1408478 for more information.)

      Nathan