Comment 6 for bug 1000205

On Sun, 2012-07-01 at 05:29 +0000, William Van Hevelingen wrote:
> If you prepare a patch you'll want to attach additional SRU
> information to the bug ticket for this to go into Precise.

Ok, here is my best shot at this.

[IMPACT]

This bug affects people who use a mix of debconf and manual
configuration of the nslcd.conf file or possibly people who are
upgrading from an earlier release that does not include the
ldap-auth-type debconf configuration setting (there could be more
cases).

This breaks LDAP authentication on upgrades quietly removing LDAP users
from the system and will break it again if the package is
upgraded/reinstalled.

[TESTCASE]

The easiest way to trigger the underlying bug is to use debconf to
configure no authentication, then change the config by hand with the
binddn and bindpw options and then reinstall or upgrade.

apt-get purge nslcd
apt-get install libnss-ldapd nslcd
[with debconf choose no authentication]
[edit /etc/nslcd.conf and set binddn and bindpw]
[restart nslcd and verify that getent passwd returns LDAP users]
apt-get --reinstall install nslcd

You need an LDAP server to test this obviously.

[Regression Potential]

This fix was in Debian unstable (#670133, fixed in 0.8.8-1) and has not
seen any regressions so far. The change could have an affect for debconf
preseeding which is quite complex to do right.

Preconfiguring nslcd is much simpler when pre-installing an nslcd.conf
file (which will be preserved on installation) although debconf
preseeding should work for most configurations.

[Other Info]

While the attached patch fixes this bug it is probably a much better
idea to ship 0.8.10 which is targeted towards the next Debian stable
release. It is much better tested and fixes a number of known bugs in de
0.8.4 version which was never meant for production use.

An overview of the most important packaging changes from 0.8.4 to
0.8.10:

  * consistently handle whitespace in configuration file during package
    configuration (thanks Nick) (closes: #641619)
  * add a versioned dependency on libpam0g to ensure the PAM
    libraries are multiarch-aware
  * in debconf, treat the "hard" value for tls_reqcert as if it was
    "demand" (closes: #642347)
  * keep nslcd running during package upgrades (closes: #644892)
  * enable hardening options during build
  * automatically comment out mapping of uniqueMember to member on
    upgrades because member is default now
  * update the X-Start-Before header in the init script to ensure that
    nslcd is started before the display managers
  * use the configuration file contents to determine the authentication
    type, not the debconf database (closes: #670133) (LP: #1000205)
  * don't clear the tls_reqcert option when using ssl without the
    start_tls option or an ldaps:// URL (closes: #672301)

An overview of the most important upstream changes from 0.8.4 to 0.8.10:

  * support larger gecos values (closes: #640781)
  * reduce loglevel of user not found messages to avoid spamming the
    logs with useless information (thanks Wakko Warner)
    (closes: #641820)
  * fix an issue where changes in /etc/nsswitch.conf were not correctly
    picked up and could lead to lookups being disabled on upgrade
    (closes: #645599)
  * provide more detailed logging information for LDAP errors, this
    should especially help for TLS related problems (based on a patch
    by Mel Flynn)
  * fix logging of invalid pam_authz_search value (LP: #951343)
  * when doing DNS queries for SRV records recognise default ldap and
    ldaps ports (closes: #661955)
  * try to prevent some of the Broken pipe messages in nslcd
  * increase buffer used for pam_authz_search as suggested by Chris J
    Arges
  * fix a problem in the handling of PAM requests in nslcd
    (closes: #670419)
  * fix a problem that causes the PAM module to prompt for a new
    password even though the old one was wrong
  * log successful password change in nslcd

Hope this helps.

--
-- arthur - <email address hidden> - http://people.debian.org/~adejong --