Upgrade from 10.04 to 12.04 server breaks configuration of nslcd

Bug #1000205 reported by Wolfram Strauss on 2012-05-16
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Debian)
Fix Released
Unknown
nss-pam-ldapd (Ubuntu)
Undecided
Unassigned
Precise
High
Unassigned

Bug Description

[IMPACT]

This bug affects people who use a mix of debconf and manual
configuration of the nslcd.conf file or possibly people who are
upgrading from an earlier release that does not include the
ldap-auth-type debconf configuration setting (there could be more
cases).

This breaks LDAP authentication on upgrades quietly removing LDAP users
from the system and will break it again if the package is
upgraded/reinstalled.

[TESTCASE]

The easiest way to trigger the underlying bug is to use debconf to
configure no authentication, then change the config by hand with the
binddn and bindpw options and then reinstall or upgrade.

apt-get purge nslcd
apt-get install libnss-ldapd nslcd
[with debconf choose no authentication]
[edit /etc/nslcd.conf and set binddn and bindpw]
[restart nslcd and verify that getent passwd returns LDAP users]
apt-get --reinstall install nslcd

You need an LDAP server to test this obviously.

[Regression Potential]

This fix was in Debian unstable (#670133, fixed in 0.8.8-1) and has not
seen any regressions so far. The change could have an affect for debconf
preseeding which is quite complex to do right.

Preconfiguring nslcd is much simpler when pre-installing an nslcd.conf
file (which will be preserved on installation) although debconf
preseeding should work for most configurations.

* Original Description *

Doing a do-release-upgrade from 10.04 server to 12.04 server breaks the configuration in /etc/nslcd.conf. Custom modifications are partially commented out, at least the directive bindpw is commented out which leaves nslcd non functioning after the release upgrade.

There was no question regarding overwriting the manually modified configuration file nor was the original one saved. Using ldap for authentication (e.g. in the pam stack and / or for nsswitch) this breaks the login process.

Arthur de Jong (adejong) wrote :

There recently were a few bugs regarding upgrades (some fixed) in Debian, see:
  http://bugs.debian.org/670133
  http://bugs.debian.org/672301
Perhaps this is a duplicate of one of these bugs?

It would be helpful if you could post versions of nslcd before and after the upgrade and the contents of nslcd.conf.

http://bugs.debian.org/670133 describes exactly what I experienced.

Arthur de Jong (adejong) wrote :

If this is useful for Ubuntu, I can prepare a patch, although I would recommend against using 0.8.4 in a stable release because the 0.8 series is still in development (but now reaching stability with 0.8.8-3).

Changed in nss-pam-ldapd (Ubuntu):
status: New → Confirmed
Changed in nss-pam-ldapd (Debian):
status: Unknown → Fix Released

Hi Arthur,

If you prepare a patch you'll want to attach additional SRU information to the bug ticket for this to go into Precise.

https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

It just happened again. The upgrade to nslcd / libnss-ldapd version 0.8.4ubuntu0.1 released on 2012-06-29 broke my setup again. The directives binddn and bindpw in /etc/nslcd.conf were both commented out and the password in bindpw was replaced with the string *removed*.

Download full text (4.0 KiB)

On Sun, 2012-07-01 at 05:29 +0000, William Van Hevelingen wrote:
> If you prepare a patch you'll want to attach additional SRU
> information to the bug ticket for this to go into Precise.

Ok, here is my best shot at this.

[IMPACT]

This bug affects people who use a mix of debconf and manual
configuration of the nslcd.conf file or possibly people who are
upgrading from an earlier release that does not include the
ldap-auth-type debconf configuration setting (there could be more
cases).

This breaks LDAP authentication on upgrades quietly removing LDAP users
from the system and will break it again if the package is
upgraded/reinstalled.

[TESTCASE]

The easiest way to trigger the underlying bug is to use debconf to
configure no authentication, then change the config by hand with the
binddn and bindpw options and then reinstall or upgrade.

apt-get purge nslcd
apt-get install libnss-ldapd nslcd
[with debconf choose no authentication]
[edit /etc/nslcd.conf and set binddn and bindpw]
[restart nslcd and verify that getent passwd returns LDAP users]
apt-get --reinstall install nslcd

You need an LDAP server to test this obviously.

[Regression Potential]

This fix was in Debian unstable (#670133, fixed in 0.8.8-1) and has not
seen any regressions so far. The change could have an affect for debconf
preseeding which is quite complex to do right.

Preconfiguring nslcd is much simpler when pre-installing an nslcd.conf
file (which will be preserved on installation) although debconf
preseeding should work for most configurations.

[Other Info]

While the attached patch fixes this bug it is probably a much better
idea to ship 0.8.10 which is targeted towards the next Debian stable
release. It is much better tested and fixes a number of known bugs in de
0.8.4 version which was never meant for production use.

An overview of the most important packaging changes from 0.8.4 to
0.8.10:

  * consistently handle whitespace in configuration file during package
    configuration (thanks Nick) (closes: #641619)
  * add a versioned dependency on libpam0g to ensure the PAM
    libraries are multiarch-aware
  * in debconf, treat the "hard" value for tls_reqcert as if it was
    "demand" (closes: #642347)
  * keep nslcd running during package upgrades (closes: #644892)
  * enable hardening options during build
  * automatically comment out mapping of uniqueMember to member on
    upgrades because member is default now
  * update the X-Start-Before header in the init script to ensure that
    nslcd is started before the display managers
  * use the configuration file contents to determine the authentication
    type, not the debconf database (closes: #670133) (LP: #1000205)
  * don't clear the tls_reqcert option when using ssl without the
    start_tls option or an ldaps:// URL (closes: #672301)

An overview of the most important upstream changes from 0.8.4 to 0.8.10:

  * support larger gecos values (closes: #640781)
  * reduce loglevel of user not found messages to avoid spamming the
    logs with useless information (thanks Wakko Warner)
    (closes: #641820)
  * fix an issue where changes in /etc/nsswitch.conf were not correctly
    picked up and could lead to loo...

Read more...

The attachment "nss-pam-ldapd-fix-debconf-authentication-0.8.4.patch" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Martin Pitt (pitti) on 2012-07-16
summary: - Upgrade from 10.04 to 12.04 server brakes configuration of nslcd
+ Upgrade from 10.04 to 12.04 server breaks configuration of nslcd
Brian Murray (brian-murray) wrote :

This is presumably fixed in quantal as it has version 0.8.10 in it.

Changed in nss-pam-ldapd (Ubuntu):
status: Confirmed → Fix Released
Changed in nss-pam-ldapd (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
description: updated
Brian Murray (brian-murray) wrote :

I've uploaded the debdiff to precise-proposed and it is now awaiting approval from a member of the SRU team.

Changed in nss-pam-ldapd (Ubuntu Precise):
status: Triaged → Fix Committed
Stéphane Graber (stgraber) wrote :

Reverting the precise task to In Progress, Fix Commited is for packages that are in the -proposed pocket, this package is still in the Unapproved queue.

Changed in nss-pam-ldapd (Ubuntu Precise):
status: Fix Committed → In Progress

Hello Wolfram, or anyone else affected,

Accepted nss-pam-ldapd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.8.4ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nss-pam-ldapd (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed

I can verify that nss-pam-ldapd 0.8.4ubuntu.02 fixes the problem.

Verification procedure:

1. Added precise-proposed repository
2. apt-get install -t precise-proposed nslcd libnss-ldapd
3. verify the contents of /etc/nslcd.conf -> unchanged
4. log in to the system with ldap account -> still works

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.4ubuntu0.2

---------------
nss-pam-ldapd (0.8.4ubuntu0.2) precise-proposed; urgency=low

  * use the configuration file contents to determine the authentication
    type, not the debconf database (closes: #670133) (LP: #1000205)
 -- Arthur de Jong <email address hidden> Wed, 18 Jul 2012 12:36:45 -0700

Changed in nss-pam-ldapd (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.