Your message dated Thu, 19 Jan 2006 20:32:09 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#302547: fixed in libpam-ldap 180-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Apr 2005 12:01:54 +0000
>From [EMAIL PROTECTED] Fri Apr 01 04:01:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHKqX-00039w-00; Fri, 01 Apr 2005 04:01:53 -0800
Received: from kw04.de (ww04.kw04.de) [213.131.254.194]
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHKqW-0004cD-00; Fri, 01 Apr 2005 05:01:52 -0700
Received: from tsetse.adpm.de (dsl-084-056-113-053.arcor-ip.net [84.56.113.53])
by ww04.kw04.de (ww04.kw04.de) with ESMTP id 0D09D3D05B7
for <[EMAIL PROTECTED]>; Fri, 1 Apr 2005 13:58:43 +0200 (CEST)
Received: from tsetse.adpm.de (localhost [127.0.0.1])
by tsetse.adpm.de (Postfix) with ESMTP id 9A0EE2BD2D
for <[EMAIL PROTECTED]>; Fri, 1 Apr 2005 13:58:41 +0200 (CEST)
Received: from ant.adpm.de (ant.adpm.de [10.250.2.1])
by tsetse.adpm.de (Postfix) with ESMTP id 44D9F2BC16
for <[EMAIL PROTECTED]>; Fri, 1 Apr 2005 13:58:39 +0200 (CEST)
Content-Type: multipart/mixed; boundary="===============0513970702=="
MIME-Version: 1.0
From: Peter Marschall <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: make password file for libpam-ldap's rootbinddn private to libpam-ldap
X-Mailer: reportbug 3.8
Date: Fri, 01 Apr 2005 13:58:39 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: ClamAV using ClamSMTP
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============0513970702==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: libpam-ldap
Version: 178-0pm2
Severity: important
Tags: patch
currently libpam-ldap and libnss-ldap share the file /etc/ldap.secret
to store the password of their rootbinddn in.
Since neither libpam-ldap nor libnss-ldap need a directory admin
as these account, but only an account with specific rights in the
directory, there is no need to tie the passwords of these accounts
together.
De-coupling libpam-ldap and libnss-ldap also makes handling
of their password files easier. Neither one of these packages
needs to care about anybody else dealing with their private
files.
The attached patch changes the location of this secret file from
/etc/ldap.secret to /etc/pam_ldap.secret (to match the config file ;-)
and also gives an analysis what rights are necessary for whom to which
attributes in the file LDAP-Permissions.txt.
CU
Peter
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libpam-ldap depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libldap2 2.1.30-3pm1 OpenLDAP libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- debconf information:
* shared/ldapns/base-dn: o=ADPM,c=DE
* libpam-ldap/dbrootlogin: true
* libpam-ldap/override: false
* shared/ldapns/ldap-server: 127.0.0.1
* libpam-ldap/pam_password: exop
* libpam-ldap/binddn: cn=pam-User,ou=User,o=EDV
* libpam-ldap/rootbinddn: cn=pam-Admin,c$ou=User,o=EDV
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: true
--===============0513970702==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="pam_ldap-178-secretfile.patch"
--- debian/LDAP-Permissions.txt 2005-04-01 12:35:59.854617055 +0200
+++ debian/LDAP-Permissions.txt 2005-04-01 12:36:26.518518245 +0200
@@ -0,0 +1,98 @@
+pam_ldap LDAP Actions
+=====================
+
+The following list describes the actions on the LDAP server and the affected
+LDAP objects and attributes that pam_ldap performs.
+
+The information contained in the list may be used to determine the required
+permissions to objects and attributes in the directory.
+
+To be able to fully perform one of the listed action the accounts listed
+below 'Accounts' need read access to the attributes listed below 'Attributes'
+and compare access to the attributes listed in the filters below 'Filters'
+of all objects in the directory branch that starts at 'Base'.
+
+
+User Search
+-----------
+Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ VALUE OF nss_base_passwd
+ VALUE OF base (if 'nss_base_passwd' is not set)
+* Filter:
+ AND combination of the following partial filters:
+ VALUE OF pam_filter
+ VALUE OF FILTER PART OF nss_base_passwd
+ (LoginAttr=UserName)
+ where
+ LoginAttr = VALUE OF pam_login_attribute (default: uid)
+ UserName = the account of the user
+ If either 'pam_filter' or 'nss_base_passwd'
+ is not set, the associated part is left out
+* Attributes:
+ host
+ authorizedService
+ uidNumber
+ VALUE OF pam_template_login_attribute
+ shadowLastChange
+ shadowMin
+ shadowMax
+ shadowWarning
+ shadowInactive
+ shadowExpire
+ shadowFlag
+
+
+Password-Change for a User
+--------------------------
+Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ user's DN (as found in the 'User Search')
+* Base:
+ VALUE OF nss_base_passwd
+ or
+ VALUE OF base (if 'nss_base_passwd' is not set)
+* Attributes (write access necessary)
+ userPassword (if 'pam_password' is not set to 'ad')
+ unicodePwd (if 'pam_password' is set to 'ad')
+ shadowLastChange
+
+
+Group Membership Search
+-----------------------
+* Comment:
+ only performed if 'pam_groupdn' is set
+* Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ VALUE OF pam_groupdn
+* Filter:
+ (MemberAttr=UserDN)
+ where
+ MemberAttr = VALUE OF pam_member_attribute (default:
uniqueMember)
+ UserDN = user's DN (as found in 'User Search')
+
+
+Passwort-Policy Search
+----------------------
+* Comment:
+ only performed if 'pam_lookup_policy' is set to yes
+* Account:
+ VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set)
+ VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set)
+ anonymous (if 'binddn' is not set)
+* Base:
+ TREE-ROOT
+* Filter:
+ (objectclass=passwordPolicy)
+* Attributes:
+ passwordMaxFailure
+ passwordMinLength
+
+
+ -- Peter Marschall <[EMAIL PROTECTED]>
--- debian/libpam-ldap.postinst 2005-03-31 17:41:32.000000000 +0200
+++ debian/libpam-ldap.postinst 2005-04-01 13:18:33.574317266 +0200
@@ -4,7 +4,8 @@
PACKAGE=libpam-ldap
CONFFILE="/etc/pam_ldap.conf"
-PASSWDFILE="/etc/ldap.secret"
+PASSWDFILE="/etc/pam_ldap.secret"
+OLDPASSWDFILE="/etc/ldap.secret"
add_missing()
{
@@ -100,22 +101,27 @@
db_get libpam-ldap/dbrootlogin
if [ "$RET" = "true" ]; then
- # user wants to log in to the database, so be it.
+ # separate root login to the database
db_get libpam-ldap/rootbinddn
change_value rootbinddn "$RET"
db_get libpam-ldap/rootbindpw
if [ "$RET" != "" ]; then
- rm -f $PASSWDFILE
+ rm -f $PASSWDFILE $OLDPASSWDFILE
echo $RET > $PASSWDFILE
chmod 0600 $PASSWDFILE
db_set libpam-ldap/rootbindpw ''
+ else
+ # copy the old password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
fi
else
# ok, so the user refused to use this feature, better make
# sure it's really off.
disable_param rootbinddn
- rm -f $PASSWDFILE
+ rm -f $PASSWDFILE /etc/ldap.conf
fi
db_get libpam-ldap/dblogin
@@ -134,5 +140,10 @@
disable_param binddn
disable_param bindpw
fi
+else
+ # copy the password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
fi
db_stop
--- debian/README.Debian 2005-03-31 17:41:32.000000000 +0200
+++ debian/README.Debian 2005-04-01 12:37:00.670987373 +0200
@@ -23,3 +23,8 @@
account required pam_ldap.so
account required pam_permit.so
+- Debian uses /etc/pam_ldap.conf as libpam-ldap's configuration file and
+/etc/pam_ldap.secret as the file to store the password of the rootbinddn.
+
+- See LDAP-Permissions.txt for details about the required LDAP permissions.
+
--- debian/rules 2005-03-31 18:01:16.000000000 +0200
+++ debian/rules 2005-04-01 12:38:12.531245538 +0200
@@ -5,7 +5,7 @@
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/autotools.mk
-DEB_CONFIGURE_EXTRA_FLAGS += --with-ldap-lib=openldap
--with-ldap-conf-file=/etc/pam_ldap.conf
+DEB_CONFIGURE_EXTRA_FLAGS += --with-ldap-lib=openldap
--with-ldap-conf-file=/etc/pam_ldap.conf
--with-ldap-secret-file=/etc/pam_ldap.secret
DEB_DESTDIR = $(CURDIR)/debian/tmp
DEB_OPT_FLAG += -fPIC
@@ -14,11 +14,13 @@
binary-post-install/libpam-ldap::
# rename man page
mv $(MY_INST_DIR)/man/man5/pam_ldap.5
$(MY_INST_DIR)/man/man5/pam_ldap.conf.5
- # change all references from /etc/ldap.conf to /etc/pam_ldap.conf
+ # change all references from /etc/ldap.{conf,secret} to
/etc/pam_ldap.{conf,secret}
for file in $(MY_INST_DIR)/man/man5/pam_ldap.conf.5 \
+ $(MY_INST_DIR)/libpam-ldap/ldap.conf \
$(MY_INST_DIR)/doc/libpam-ldap/examples/chfn \
$(MY_INST_DIR)/doc/libpam-ldap/examples/chsh ; do \
sed -e 's,/etc/ldap.conf,/etc/pam_ldap.conf,' \
+ -e 's,/etc/ldap.secret,/etc/pam_ldap.secret,' \
< $$file > $$file-sed; \
mv $$file-sed $$file; \
done
--- debian/libpam-ldap.install 2005-03-31 17:54:36.000000000 +0200
+++ debian/libpam-ldap.install 2005-04-01 13:49:46.212394430 +0200
@@ -5,3 +5,4 @@
chsh usr/share/doc/libpam-ldap/examples
pam.conf usr/share/doc/libpam-ldap/examples
pam_ldap.5 usr/share/man/man5
+debian/LDAP-Permissions.txt usr/share/doc/libpam-ldap
--- debian/libpam-ldap.postrm 2005-03-31 17:41:32.000000000 +0200
+++ debian/libpam-ldap.postrm 2005-04-01 13:50:49.898221676 +0200
@@ -1,12 +1,12 @@
#!/bin/sh
CONFFILE="/etc/pam_ldap.conf"
-PASSWDFILE="/etc/ldap.secret"
+PASSWDFILE="/etc/pam_ldap.secret"
action=$1
if [ "$action" = "purge" ]; then
- rm -f $CONFFILE
+ rm -f $CONFFILE $PASSWDFILE
fi
#DEBHELPER#
--===============0513970702==--
---------------------------------------
Received: (at 302547-close) by bugs.debian.org; 20 Jan 2006 04:40:55 +0000
>From [EMAIL PROTECTED] Thu Jan 19 20:40:55 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EznwX-0001yG-OW; Thu, 19 Jan 2006 20:32:09 -0800
From: Stephen Frost <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#302547: fixed in libpam-ldap 180-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 19 Jan 2006 20:32:09 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: libpam-ldap
Source-Version: 180-1
We believe that the bug you reported is fixed in the latest version of
libpam-ldap, which is due to be installed in the Debian FTP archive:
libpam-ldap_180-1.diff.gz
to pool/main/libp/libpam-ldap/libpam-ldap_180-1.diff.gz
libpam-ldap_180-1.dsc
to pool/main/libp/libpam-ldap/libpam-ldap_180-1.dsc
libpam-ldap_180-1_i386.deb
to pool/main/libp/libpam-ldap/libpam-ldap_180-1_i386.deb
libpam-ldap_180.orig.tar.gz
to pool/main/libp/libpam-ldap/libpam-ldap_180.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Frost <[EMAIL PROTECTED]> (supplier of updated libpam-ldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Jan 2006 14:45:33 -0500
Source: libpam-ldap
Binary: libpam-ldap
Architecture: source i386
Version: 180-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Frost <[EMAIL PROTECTED]>
Changed-By: Stephen Frost <[EMAIL PROTECTED]>
Description:
libpam-ldap - Pluggable Authentication Module allowing LDAP interfaces
Closes: 292030 302400 302543 302547 307628 312439 312440 312928 324899 332002
337261 338825 340199 340581 341541
Changes:
libpam-ldap (180-1) unstable; urgency=low
.
* New upstream release
* Maintainer upload, Closes: #324899
* Changed password file to be /etc/pam_ldap.secret, Closes: #302547
* Change pam_acct_mgmt to use username when groupattr is
'memberUid', Closes: #292030, #341541
* Started using upstream's manpage, Closes: #302400, #307628
* Fix debhelper to use libpam-ldap/override, Closes: #302543, #312928
* Make pam_password choices translatable, Closes: #338825
* Fix debconf depends to allow debconf-2.0, Closes: #332002
* debconf-updatepo run, Closes: #337261
* Added ldapns.schema to /usr/share/doc/libpam-ldap, Closes: #340581
* Added vietnamese translation, Closes: #312439
* Clean up debconf questions, Closes: #312440
* Updated French translation, Closes: #340199
Files:
b0cd7ed46424645e8f9e6dc9dd115f5c 658 admin extra libpam-ldap_180-1.dsc
627f053fdffb8267ba73261394e0ecde 127337 admin extra libpam-ldap_180.orig.tar.gz
fadc8eed93eed3af8a0593e407f985bf 20087 admin extra libpam-ldap_180-1.diff.gz
51aa20fd11517d2a3667cf8cccdf1173 62230 admin extra libpam-ldap_180-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD4DBQFD0FzArzgMPqB3kigRAjt+AJ9pF8kbE6A2vzBKC0q1yzgxyqpCnACY89J6
QuP3DV3MJvcBEroG+2mycw==
=KZ+d
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
