slapd: nssov does not work with lib{nss,pam}-ldapd 0.9.x

Bug #1393306 reported by Ryan Tandy on 2014-11-17
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Ryan Tandy

Bug Description

nss-pam-ldapd 0.9 introduced incompatible changes to the nslcd protocol, with an accompanying version bump:

nssov still speaks the old protocol, so can't be used for clients running utopic or vivid. slapd says:

54698bdd connection_get(14): got connid=0
54698bdd nssov: connection from uid=0 gid=0
54698bdd nssov: wrong nslcd version id (33554432)

I started on a patch (nss mostly done, pam not done) and ran out of time. When I have time to finish it I'll post it upstream for review. If someone else wants to carry on with it I'm happy to provide my WIP.

Ryan Tandy (rtandy) on 2014-11-17
Changed in openldap (Ubuntu):
assignee: nobody → Ryan Tandy (rtandy)
status: New → In Progress
Changed in openldap (Ubuntu):
importance: Undecided → High
Ryan Tandy (rtandy) wrote :

Patches were accepted upstream, will be fixed in 2.4.41.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.41+dfsg-1ubuntu1

openldap (2.4.41+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian testing (LP: #1471831). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Dropped changes:
    - Fix cpp calls for GCC 5: fixed upstream (ITS#8056)
  * Upstream fixes:
    - slapd crash with auditlog overlay and large (~27KB) attribute values
      (ITS#8003) (LP: #1461276)
    - nssov updated to support recent nss-pam-ldapd client libraries
      (ITS#8097) (LP: #1393306)
  * Update d/patches/nssov-build for upstream changes.
  * Tweak d/patches/gssapi.diff to apply without fuzz.
  * d/libldap-2.4-2.symbols: Add symbols not present in Debian.
    - CLDAP (UDP) was added in 2.4.17-1ubuntu2
    - GSSAPI support was enabled in 2.4.18-0ubuntu2

 -- Ryan Tandy <email address hidden> Fri, 24 Jul 2015 14:12:06 -0700

Changed in openldap (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers