Ubuntu
nss-pam-ldapd package

nslcd config and debconf

Bug #1063923 reported by molostoff
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Here is a problem with setting up an "external" sasl auth parameter in /etc/nslcd.conf with debconf and dpkg-reconfigure (see short session log below).

Usually I use sasl_mech "external" configured in nslcd.conf and all is fine, except ongoing ubuntu/debian updates, every time a package is updated a debconf reconfigures it to keep configuration settings "correct" in a way a developer/maintainer of that package should know - it always remove "external" with "auto", and thus fails to connect to slapd, since in my slapd config only external is allowed (it is a requirement).

I was unable to find a place to report a bug in ubuntu repos (nslcd belongs to universe, and not a part of ubuntu), and if some can point out a good link, it wold be very helpful to report bug more "officially".

The main problem is that I can use "external" sasl mech, but it is unconditionally overwriten every update to the "auto", which makes nslcd disconnected from slapd, and require handy intervention every time (sorry, tired) to manually check /etc/nslcd.conf, and remove "auto" with "external". :)

Here is a sequence of commands to show the effect of "external" mech setting up. Please, take into account that setting /etc/nslcd.conf manually with vi or emacs has the same result - after update (e.g. debconf noninteractive reconfiguring) it always becomes "auto" instead of required "external". Please Help!

# echo nslcd nslcd/ldap-sasl-mech select external | debconf-set-selections

# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
* nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: SASL
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldapi:///
* nslcd/ldap-sasl-secprops:
  nslcd/ldap-binddn:
* nslcd/ldap-sasl-authcid:
* nslcd/ldap-sasl-mech: external
* nslcd/ldap-base: dc=local
* nslcd/ldap-sasl-authzid:

# dpkg-reconfigure -f noninteractive nslcd
 * Stopping LDAP connection daemon nslcd [ OK ]
 * Starting LDAP connection daemon nslcd [ OK ]

# debconf-show nslcd
* nslcd/ldap-bindpw: (password omitted)
* nslcd/ldap-sasl-realm:
* nslcd/ldap-starttls: false
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
* nslcd/ldap-auth-type: SASL
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldapi:///
* nslcd/ldap-sasl-secprops:
  nslcd/ldap-binddn:
* nslcd/ldap-sasl-authcid:
* nslcd/ldap-sasl-mech: auto
* nslcd/ldap-base: dc=local
* nslcd/ldap-sasl-authzid:

# cat /etc/nslcd.conf
uid 0
gid 0
ldap_version 3
sasl_mech auto
uri ldapi:///
rootpwmoddn cn=admin,dc=local
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
base dc=local

Related branches

lp:debian/nss-pam-ldapd
Revision history for this message
Arthur de Jong (adejong) wrote :

The problem is that the value "external" isn't currently supported by the package configuration and it is incorrectly replaced by auto as a default value. Current supported values are: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP.

The "EXTERNAL" value will be added as a possible value.

Btw, using debconf-set-selections and using dpkg-reconfigure is not a supported way to update the configuration because the current configuration is always read from the configuration file in order to preserve configuration changes outside debconf. The only situation where preseeding would work is on initial installation when the configuration file is absent.

The change in SVN is at:
  http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1778&view=revision

Revision history for this message
molostoff (molostoff) wrote :

Thanks for so fast reply! Many thanks to the fix! Awaiting to test it!

BTW, where I can get more info on supported ways with using debconf-set-selections and using dpkg-reconfigure?

It seems that my config does exactly the above - updates debconf db and reconfigures package via dpkg, what's wrong with it?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.10-3

---------------
nss-pam-ldapd (0.8.10-3) unstable; urgency=low

  * fix a problem in sed logic for commenting out disabled options
    (closes: #689296)
  * support "EXTERNAL" SASL mechanism in debconf configuration (LP: #1063923)
    (the debconf template has been postponed to avoid having to update all
    translations for a relatively minor change)
  * 01-use-poll-instead-of-select.patch: use poll() instead of select()
    for checking file descriptor activity to also correctly work if more
    than FD_SETSIZE files are already open (closes: #690319)

 -- Arthur de Jong <email address hidden> Sun, 14 Oct 2012 23:00:00 +0200

Changed in nss-pam-ldapd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.