PAM with LDAPS breaks authentication via Policykit to Gnome applications as local administrator

Bug #892480 reported by Dave Koelmeyer on 2011-11-19
This bug affects 2 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)

Bug Description


1) Test system

My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been fully patched.

libnss-ldap and dependencies have then been installed with Synaptic package manager using the local administrator account created during installation of Ubuntu.

/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP server running on the local network,using ldaps://server:port nomenclature.

The self-signed certificate from the OpenDJ server has been exported as a PEM encoded file and saved on the test Ubuntu client at /usr/share/ca-certificates/server.pem. The file has been made world readable.

At /etc/ldap.conf the certificate has been pointed to accordingly:

TLS_CACERTFILE /usr/share/ca-certificates/server.pem

A dedicated bind account has been created in the LDAP server and this has been specified in /etc/ldap.conf with the bind password recorded at /etc/ldap.secret

PAM configuration files at /etc/pam.d have been modified to contain the following, in order common-account, common-auth, common-password and common-session:

account sufficient
account required

auth sufficient
auth required nullok_secure use_first_pass

password sufficient nullok
password required nullok obscure min=4 max=8 md5

session required skel=/etc/skel/ umask=0022
session required
session optional

/etc/nsswitch.conf has been modified accordingly to contain the following information:

passwd: files ldap
group: files ldap
shadow: files ldap

LDAP users can log in to the client successfully, and home directories are created automatically. In LDAP, my test user accounts have been assigned the gidNumber attribute value of 119 (admin).

2) What I expect to happen

As local administrator (note *not* as an LDAP user), I expect to be able to launch a Gnome application such as Ubuntu Software Center and have Policykit validate my credentials correctly such that I can install or remove applications (or otherwise perform administrative tasks).

3) What happened instead

Logging in to the system as a local administrator, I can launch Ubuntu Software Center. Upon (for example) attempting to install an application, I am prompted for my credentials. I enter these (the same credentials used to log into the system), but they are rejected with an "Authentication Failure" error.

4) Additional information

Using my Virtualbox host with a combination of snapshots, I have determined that this oddity appears specifically in this scenario when secure LDAP is configured on the client. If I modify /etc/ldap.conf and use plain LDAP, i.e. an insecure connection to my OpenDJ server without a certificate, then logged in to the test client as a local administrator I can successfully authenticate to Ubuntu Software Center.

In either scenario, using Synaptic with the same credentials as local administrator poses no problem.

Policykit version details:

$ apt-cache policy policykit-1
  Installed: 0.96-2ubuntu0.1
  Candidate: 0.96-2ubuntu0.1
  Version table:
 *** 0.96-2ubuntu0.1 0
        500 lucid-updates/main Packages
        500 lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.96-2 0
        500 lucid/main Packages

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers