[Bug 1350778] Re: Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users with unusable systems

Nathan Stratton Treadway ubuntu.lp at nathanst.com
Fri Aug 8 20:49:36 UTC 2014 

Just to clarify the situation, the problem is that the current
nslcd.postinst script (i.e. the one in 0.8.4ubuntu0.3) unconditionally
rewrites various lines in the /etc/nslcd.conf file using the parameter
values pulled from the debconf database... which can lead to a non-
working configuration if the debconf values are obsolete or otherwise
incorrect.

Mike's approach mentioned  in https://bugs.launchpad.net/ubuntu/+source
/nss-pam-ldapd/+bug/1350778/comments/4 would solve the immediate
problem by causing the config-file rewriting to only happen for upgrades
where there is actually a reason such rewrites might be needed -- so
intra-Precise upgrades like this one wouldn't touch the file at all
(though if the script did  ever touch the file for some reason, it would
still overwrite the current config with the debconf values).

In contrast, the fixes described in
https://bugs.launchpad.net/ubuntu/+source/nss-pam-
ldapd/+bug/1350778/comments/6 would make the config-file rewriting
smarter in general, (hopefully) avoiding the problem of incorrectly
changing the config file lines from their current values when the
debconf value was different.

Another approach  would be do do something like the grub-pc.postinst
script, which creates a temporary-file version of /etc/default/grub and
then uses a "ucf --three-way" call to allow the user to intervene if the
generated file differs from the current "live" one.


Anyway, while waiting for one of those fixes to be implement in the package: some quick testing on one of my systems indicates that one can avoid having the nslcd package upgrade break LDAP connectivity by using "debconf-show nslcd", "dpkg-reconfigure nslcd", etc. to make sure that the debconf database values all match the current nslcd.conf values beforehand....

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1350778

Title:
  Upgrading nslcd on precise rewrites /etc/nslcd.conf, leaving users
  with unusable systems

Status in “nss-pam-ldapd” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu release: 12.04.1

  Package version: 0.8.4ubuntu0.2 and 0.8.4ubuntu0.3

  We use ldap for user auth. Our /etc/nslcd.conf needed to be customised
  with certain tls and ssl options. Here's what the relevant parts
  looked like:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://ldap.internal/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      tls_reqcert allow

  The security update in 0.8.4ubuntu0.3 was installed.

  What I expected to happen: The configuration should have been left as
  it was.

  What actually happened: the options ended up like this:

      # The location at which the LDAP server(s) should be reachable.
      uri ldaps://127.0.0.1/
      # SSL options
      ssl yes
      # needed for internal ldap to connect
      #tls_reqcert allow

  This left us unable to log in to any of our servers.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1350778/+subscriptions

More information about the Ubuntu-sponsors mailing list