[Bug 1350778] Re: Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users with unusable systems

Arthur de Jong adejong at debian.org
Tue Aug 5 07:33:53 UTC 2014 

I don't think the configuration upgrade code is the issue here (that
would probably only cause issues with some downgrades). Furthermore,
from a quick glance it seems the patch disables debconf configuration
altogether.

The Debian packages contains numerous fixes to the debconf handling and
configuration parsing that most likely fix the above issues:

* don't clear the tls_reqcert option when using ssl without the start_tls option or an ldaps:// URL
  fixed in 0.8.8-3 (Debian bug https://bugs.debian.org/672301)
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1687&view=revision

* fix a problem in sed logic for commenting out disabled options
  fixed in 0.8.10-3 (Debian bug https://bugs.debian.org/689296)
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1777&view=revision

* make whitespace matching consistent in regular expressions
  fixed in 0.8.5
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1543&view=revision

* get the first configuration value instead of the last because that one is also written
  fixed in 0.8.5
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1567&view=revision

* properly parse and write configuration options with an optional map parameter during debconf configuration
  fixed in 0.8.10-2 (Launchpad bug https://bugs.launchpad.net/bugs/1029062)
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1740&view=revision

* properly handle preseeding and reading values from the configuration file by forcefully overwriting debconf values from nslcd.conf and not overwriting debconf values when reading other configuration files
  fixed in 0.8.13-2 (Debian bug https://bugs.debian.org/717063)
  patch: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=2016&view=revision


** Bug watch added: Debian Bug tracker #672301
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672301

** Bug watch added: Debian Bug tracker #689296
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689296

** Bug watch added: Debian Bug tracker #717063
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717063

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1350778

Title:
  Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users
  with unusable systems

Status in “nss-pam-ldapd” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu release: 12.04.1

  Package version: 0.8.4ubuntu0.2 and 0.8.4ubuntu0.3

  We use ldap for user auth. Our /etc/nslcd.conf needed to be customised
  with certain tls and ssl options. Here's what the relevant parts
  looked like:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://ldap.internal/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      tls_reqcert allow

  The security update in 0.8.4ubuntu0.3 was installed.

  What I expected to happen: The configuration should have been left as
  it was.

  What actually happened: the options ended up like this:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://127.0.0.1/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      #tls_reqcert allow

  This left us unable to log in to any of our servers.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1350778/+subscriptions

More information about the Ubuntu-sponsors mailing list