[Bug 1350778] Re: Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users with unusable systems

Tue Aug 5 08:15:40 UTC 2014

> I don't think the configuration upgrade code is the issue here (that
would probably only cause issues with some downgrades).

Possibly not the code in that block itself, but it's certainly something
in that block or code that it calls. This has been tested with a mirror
of our production configuration, and you can use the sample
configuration in the original bug report to confirm. Without this patch,
we end up with systems that you cannot log in to after upgrading,
because the configuration upgrade code (or code that it calls) mangles
the config file.

> Furthermore, from a quick glance it seems the patch disables debconf
configuration altogether.

No, it doesn't. It only disables the upgrades if you're upgrading within
the same series (e.g. 0.8.x to 0.8.y).

    if dpkg --compare-versions "$2" lt-nl "0.8"

will perform the upgrade if you're installing fresh (that is, no
previous version) or the previous version is lt 0.8. The format of a
config file should not change during a series like that anyway, and
going through the changelog I couldn't see any place that it did, so
this patch seemed like the simplest thing that would work. Please let me
know if I missed something.

However, if people are happier with the patches you list getting
applied, and you're confident that the update code will no longer change
our valid configuration, I can work on a new debdiff with the patches
you list.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1350778

Title:
  Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users
  with unusable systems

Status in “nss-pam-ldapd” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu release: 12.04.1

  Package version: 0.8.4ubuntu0.2 and 0.8.4ubuntu0.3

  We use ldap for user auth. Our /etc/nslcd.conf needed to be customised
  with certain tls and ssl options. Here's what the relevant parts
  looked like:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://ldap.internal/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      tls_reqcert allow

  The security update in 0.8.4ubuntu0.3 was installed.

  What I expected to happen: The configuration should have been left as
  it was.

  What actually happened: the options ended up like this:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://127.0.0.1/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      #tls_reqcert allow

  This left us unable to log in to any of our servers.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1350778/+subscriptions