Your message dated Thu, 30 Dec 2010 22:17:11 +0000
with message-id <[email protected]>
and subject line Bug#586532: fixed in nss-pam-ldapd 0.8.0
has caused the Debian Bug report #586532,
regarding nslcd: Configure SASL with debconf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
586532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586532
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nslcd
Version: 0.7.6
Severity: wishlist
Hello,
Here is a patch to permit the configuration of SASL authentication with
debconf.
The configuration is limited to GSSAPI for now, I'll try to setup
saslauthd to look at other mechanism.
Regards.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (90, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33.2+hati.1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nslcd depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii libc6 2.11.1-3 Embedded GNU C Library: Shared lib
ii libgssapi-krb5-2 1.8.1+dfsg-5 MIT Kerberos runtime libraries - k
ii libldap-2.4-2 2.4.21-1 OpenLDAP libraries
Versions of packages nslcd recommends:
ii libnss-ldapd 0.7.6 NSS module for using LDAP as a nam
pn libpam-ldapd <none> (no description available)
pn nscd <none> (no description available)
nslcd suggests no packages.
-- debconf information:
nslcd/ldap-starttls: false
nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://127.0.0.1/
nslcd/ldap-binddn:
* nslcd/ldap-base: dc=baby-gnu,dc=org
--
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
=== modified file 'debian/nslcd.config'
--- debian/nslcd.config 2010-05-03 19:29:36 +0000
+++ debian/nslcd.config 2010-06-20 11:37:02 +0000
@@ -136,6 +136,38 @@
reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
[ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
fi
+ # check SASL option
+ db_get nslcd/ldap-sasl
+ if [ -z "$RET" ]
+ then
+ if grep -qi '^SASL_MECH[[:space:]]*GSSAPI' "$cfgfile"
+ then
+ db_set nslcd/ldap-sasl "true"
+ else
+ db_set nslcd/ldap-sasl "false"
+ fi
+ fi
+ # check SASL mechanism
+ db_get nslcd/ldap-sasl-mech
+ if [ -z "$RET" ]
+ then
+ saslmech=`sed -n 's/^SASL_MECH[[:space:]]*\(GSSAPI\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslmech" ] && db_set nslcd/ldap-sasl-mech "$saslmech"
+ fi
+ # check SASL realm
+ db_get nslcd/ldap-sasl-realm
+ if [ -z "$RET" ]
+ then
+ saslrealm=`sed -n 's/^SASL_REALM[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslrealm" ] && db_set nslcd/ldap-sasl-realm "$saslrealm"
+ fi
+ # check SASL security properties
+ db_get nslcd/ldap-sasl-secprops
+ if [ -z "$RET" ]
+ then
+ saslsecprops=`sed -n 's/^SASL_SECPROPS[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslsecprops" ] && db_set nslcd/ldap-sasl-secprops "$saslsecprops"
+ fi
# we're done
return 0
}
@@ -150,6 +182,12 @@
db_set nslcd/ldap-binddn ""
db_set nslcd/ldap-bindpw ""
db_set nslcd/ldap-starttls ""
+ db_set nslcd/ldap-sasl ""
+ db_set nslcd/ldap-sasl-mech ""
+ db_set nslcd/ldap-sasl-realm ""
+ db_set nslcd/ldap-sasl-authcid ""
+ db_set nslcd/ldap-sasl-authzid ""
+ db_set nslcd/ldap-sasl-secprops ""
# parse current configuration
parsecfg "$CONFFILE"
else
@@ -170,6 +208,10 @@
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
+# fallback for krb5_ccname
+db_get nslcd/ldap-sasl-krb5-ccname
+[ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"
+
#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
@@ -240,8 +282,112 @@
db_input high nslcd/ldap-reqcert || true
fi
# ask the question, go to the next question or back
+ state="sasl"
+ db_go || state="bindpw"
+ ;;
+ sasl)
+ db_input medium nslcd/ldap-sasl || true
+ # ask the question, go to the next question or back
+ state="saslmech"
+ db_go || state="reqcert"
+ ;;
+ saslmech)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ if [ "$RET" = "true" ]
+ then
+ db_input medium nslcd/ldap-sasl-mech || true
+ else
+ db_set nslcd/ldap-sasl-mech ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslrealm"
+ db_go || state="sasl"
+ ;;
+ saslrealm)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-realm || true
+ else
+ db_set nslcd/ldap-sasl-realm ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthcid"
+ db_go || state="saslmech"
+ ;;
+ saslauthcid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-authcid || true
+ else
+ db_set nslcd/ldap-sasl-authcid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthzid"
+ db_go || state="saslrealm"
+ ;;
+ saslauthzid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-authzid || true
+ else
+ db_set nslcd/ldap-sasl-authzid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslsecprops"
+ db_go || state="saslauthcid"
+ ;;
+ saslsecprops)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-secprops || true
+ else
+ db_set nslcd/ldap-sasl-secprops ""
+ fi
+ # ask the question, go to the next question or back
+ state="krb5ccname"
+ db_go || state="saslauthzid"
+ ;;
+ krb5ccname)
+ # check if SASL mech is GSSAPI
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" = "GSSAPI" ]
+ then
+ db_input low nslcd/ldap-sasl-krb5-ccname || true
+ else
+ db_set nslcd/ldap-sasl-krb5-ccname ""
+ fi
+ # ask the question, go to the next question or back
state="done"
- db_go || state="bindpw"
+ db_go || state="saslsecprops"
;;
esac
done
=== modified file 'debian/nslcd.postinst'
--- debian/nslcd.postinst 2010-05-09 09:39:45 +0000
+++ debian/nslcd.postinst 2010-06-20 11:42:07 +0000
@@ -221,6 +221,75 @@
# clear debconf value so that this option is only set if the question is asked
db_set nslcd/ldap-reqcert ""
fi
+ # set SASL options
+ db_get nslcd/ldap-sasl
+ if [ -n "$RET" ]
+ then
+ db_get nslcd/ldap-sasl-mech
+ if [ -n "$RET" ] && [ "$RET" != "none" ]
+ then
+ saslmech="$RET"
+ cfg_set sasl_mech "$RET"
+ if [ "$saslmech" = "GSSAPI" ]
+ then
+ # Set kerberos credential cache name
+ db_get nslcd/ldap-sasl-krb5-ccname
+ if [ -n "$RET" ]
+ then
+ cfg_set krb5_ccname "$RET"
+ else
+ # default value
+ cfg_set krb5_ccname "/var/run/nslcd/nslcd.tkt"
+ fi
+ fi
+ else
+ if grep -qi '^sasl_mech' $CONFFILE
+ then
+ cfg_disable sasl_mech
+ fi
+ if grep -qi '^krb5_ccname' $CONFFILE
+ then
+ cfg_disable krb5_ccname
+ fi
+ fi
+ db_get nslcd/ldap-sasl-realm
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_realm "$RET"
+ else
+ cfg_disable sasl_realm
+ fi
+ db_get nslcd/ldap-sasl-authcid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authcid "$RET"
+ else
+ cfg_disable sasl_authcid
+ fi
+ db_get nslcd/ldap-sasl-authzid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authzid "$RET"
+ else
+ cfg_disable sasl_authzid
+ fi
+ db_get nslcd/ldap-sasl-secprops
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_secprops "$RET"
+ else
+ cfg_disable sasl_secprops
+ fi
+ else
+ # Disable all SASL options
+ for saslitem in sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
+ do
+ if grep -qi "^saslitem" $CONFFILE
+ then
+ cfg_disable $saslitem
+ fi
+ done
+ fi
# we're done
db_stop
# rename reconnect_maxsleeptime to reconnect_retrytime
=== modified file 'debian/nslcd.templates'
--- debian/nslcd.templates 2009-08-31 20:46:01 +0000
+++ debian/nslcd.templates 2010-06-20 11:21:02 +0000
@@ -52,3 +52,84 @@
* demand: a certificate will be requested, required, and checked.
If certificate checking is enabled, at least one of the tls_cacertdir or
tls_cacertfile options must be put in /etc/nslcd.conf.
+
+Template: nslcd/ldap-sasl
+Type: boolean
+Default: false
+_Description: Configure LDAP SASL authentication?
+ LDAP binding can be performed with the Simple Authentication and
+ Security Layer.
+ .
+ For the moment, only GSSAPI/Kerberos authentication mechanism is
+ tested and configurable via debconf. It needs the suggested package
+ kstart to acquire and maintain the kerberos credential cache.
+ .
+ You can try other mechanisms by editing /etc/nslcd.conf configuration file
+ directly and report any successful configuration.
+
+Template: nslcd/ldap-sasl-mech
+Type: select
+__Choices: none, GSSAPI
+Default: none
+_Description: SASL mechanism to configure:
+ Simple Authentication and Security Layer mechanism to use for LDAP
+ authentication.
+
+Template: nslcd/ldap-sasl-realm
+Type: string
+_Description: SASL realm:
+ Simple Authentication and Security Layer realm to use for LDAP
+ authentication.
+ .
+ If empty, the GSSAPI mechanism will use informations from the kerberos
+ credential cache.
+
+Template: nslcd/ldap-sasl-authcid
+Type: string
+_Description: SASL authentication identity:
+ Simple Authentication and Security Layer identity.
+
+Template: nslcd/ldap-sasl-authzid
+Type: string
+_Description: SASL proxy authorisation identity:
+ Simple Authentication and Security Layer proxy authorisation identity.
+
+Template: nslcd/ldap-sasl-secprops
+Type: string
+_Description: Cyrus SASL security properties:
+ The Cyrus Simple Authentication and Security Layer library provides
+ the following security properties:
+ * none: (without any other properties) causes the properties
+ defaults ("noanonymous,noplain") to be cleared.
+ * noplain: disables mechanisms susceptible to simple passive
+ attacks.
+ * noactive: disables mechanisms susceptible to active attacks.
+ * nodict: disables mechanisms susceptible to passive dictionary
+ attacks.
+ * noanonymous: disables mechanisms which support anonymous login.
+ * forwardsec: requires forward secrecy between sessions.
+ * passcred: requires mechanisms which pass client credentials (and
+ allows mechanisms which can pass credentials to do so).
+ * minssf=<factor>: specifies the minimum acceptable security strength
+ factor as an integer approximating the effective
+ key length used for encryption. 0 (zero) implies
+ no protection, 1 implies integrity protection
+ only, 56 allows DES or other weak ciphers, 112
+ allows triple DES and other strong ciphers, 128
+ allows RC4, Blowfish and other modern strong
+ ciphers. The default is 0.
+ * maxssf=<factor>: specifies the maximum acceptable security
+ strength factor as an integer (see minssf
+ description). The default is INT_MAX.
+ * maxbufsize=<factor>: specifies the maximum security layer receive
+ buffer size allowed. 0 disables security
+ layers. The default is 65536.
+
+Template: nslcd/ldap-sasl-krb5-ccname
+Type: string
+Default: /var/run/nslcd/nslcd.tkt
+_Description: Kerberos credential cache file path:
+ The GSSAPI/Kerberos authentication mechanism needs a credential cache
+ file.
+ .
+ The cache file is initialised and maintained by k5start.
pgpJ2mduSp9zR.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.8.0
We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:
libnss-ldapd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/libnss-ldapd_0.8.0_i386.deb
libpam-ldapd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/libpam-ldapd_0.8.0_i386.deb
nslcd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/nslcd_0.8.0_i386.deb
nss-pam-ldapd_0.8.0.dsc
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.0.dsc
nss-pam-ldapd_0.8.0.tar.gz
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.0.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-pam-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 30 Dec 2010 20:00:00 +0100
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.8.0
Distribution: experimental
Urgency: low
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
libpam-ldapd - PAM module for using LDAP as an authentication service
nslcd - Daemon for NSS and PAM lookups using LDAP
Closes: 586532 604147 607640
Changes:
nss-pam-ldapd (0.8.0) experimental; urgency=low
.
* include Solaris support developed by Ted C. Cheng of Symas Corporation
* include an experimental partial implementation of nslcd in Python
(disabled by default, see --enable-pynslcd configure option)
* implement a nss_min_uid option to filter user entries returned by LDAP
* implement a rootpwmodpw option that allows the root user to change a
user's password without a password prompt
* try to update the shadowLastChange attribute on password change
* all log messages now include a description of the request to more easily
track problems when not running in debug mode
* allow attribute mapping expressions for the userPassword attribute for
passwd, group and shadow entries and by default map it to the unmatchable
password ("*") to avoid accidentally leaking password information
* numerous compatibility improvements
* add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to
allow more control of hot to install the PAM module
* add --with-nss-flavour and --with-nss-maps configure options to support
other C libraries and limit which NSS modules to install
* allow tilde (~) in user and group names (closes: #607640)
* improvements to the timeout mechanism (connections are now actively timed
out using the idle_timelimit option)
* set socket timeouts on the LDAP connection to disconnect regardless of
LDAP and possibly TLS handling of connection
* better disconnect/reconnect handling of error conditions
* some code improvements and cleanups and several smaller bug fixes
* all internal string comparisons are now also case sensitive (e.g. for
providing DN to username lookups, etc)
* signal handling in the daemon was changed to behave more reliable across
different threading implementations
* nslcd will now always return a positive authorisation result during
authentication to avoid confusing the PAM module when it is only used for
authorisation (closes: #604147)
* implement configuring SASL authentication using Debconf, based on a patch
by Daniel Dehennin (closes: #586532) (not called for translations yet
because the English text is likely to change)
Checksums-Sha1:
32d648abf5dd47cadfbfe89f6c3c3c01bb06050d 1102 nss-pam-ldapd_0.8.0.dsc
324bd8a15708e54dde9426c9d3474f59a36e18a7 522812 nss-pam-ldapd_0.8.0.tar.gz
95620f2de2decc288f0beabaa7f563bcf048dde6 127242 nslcd_0.8.0_i386.deb
8854a9ba463895252eaf7db95fb785ab46fc1e20 44448 libnss-ldapd_0.8.0_i386.deb
b6fafe0374109672a0f54d5e4b7e921e5f2d8cb5 37742 libpam-ldapd_0.8.0_i386.deb
Checksums-Sha256:
60004dddbfa272246abcaeb490ea64025618fb56fb6a2f58219c9b89ba537915 1102
nss-pam-ldapd_0.8.0.dsc
7a175ab9e2137fa4fba9a2beb01f6e74d6dc080e0ef91ff6b2236ecfb442a6a6 522812
nss-pam-ldapd_0.8.0.tar.gz
3426b1df42f6a44eeae07426f2ceef5524e01247cca649cec676f931e4ec0e60 127242
nslcd_0.8.0_i386.deb
be9da0576355e51004d3d5adbbe5202110be8cd938754541498f47a723c7c8af 44448
libnss-ldapd_0.8.0_i386.deb
c5750449f5b2a9f6f197f81e001bd8235d25f57d7f8a439789481e276c34b83b 37742
libpam-ldapd_0.8.0_i386.deb
Files:
73d50bdd5eb65362827ad32219d0a319 1102 admin extra nss-pam-ldapd_0.8.0.dsc
8efa3a4f77983d3dd054cc5e455b7234 522812 admin extra nss-pam-ldapd_0.8.0.tar.gz
b6df1926f353f7921ba74dd6f3a85f5c 127242 admin extra nslcd_0.8.0_i386.deb
d4c92cbdc45e51bea3a53b0b52d7a0ea 44448 admin extra libnss-ldapd_0.8.0_i386.deb
5977360c66c386e5ce3ba33d1a70add4 37742 admin extra libpam-ldapd_0.8.0_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0c+e0ACgkQVYan35+NCKdyWgCfTjVlZsxeQhRBAZ5OHbIxsxOY
XekAnR6ipcYKCzZ112GqZFnY85mZUFof
=S5bP
-----END PGP SIGNATURE-----
--- End Message ---
