Package: libpam-ldap Version: 184-8.6 |Severity: important| Hello,
When I attempt to use libpam-ldap to authenticate sudo I get the following error: $sudo su - sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted sudo: account validation failure, is your account locked? I'm not able to use pam-ldapd because our setup uses pam-ldap's "config=" option to specify different configurations (pam_filter is being varied), in order to provide different semantics (e.g. authorization filters, different ou's for passwords, etc.) per service. I believe this is a regression because I was able to do this under Debian 6.0.7, but get this error under Debian 7.0. Here is a subset of the relevant configuration files (we do this for more than sudo, such as cron, dovecot, smtp, etc.) with some security related items removed (e.g. bindpw). libpam_ldap.conf: base o=ENGR uri ldaps://ldap.engr.wisc.edu ldap_version 3 timelimit 15 bind_timelimit 10 bind_policy hard pam_filter caeacl=unix-lab pam_password crypt nss_base_passwd ou=People,o=ENGR?one nss_base_shadow ou=People,o=ENGR?one nss_base_group ou=Group,o=ENGR?one nss_base_netgroup ou=Netgroup,o=ENGR tls_checkpeer yes libpam_ldap.conf.sudo: base o=ENGR uri ldaps://ldap.engr.wisc.edu ldap_version 3 binddn cn=proxyagent,ou=profile,o=ENGR timelimit 15 bind_timelimit 10 bind_policy hard pam_filter caeacl=sudo pam_password crypt nss_base_passwd ou=Sudo,o=ENGR?one nss_base_shadow ou=Sudo,o=ENGR?one nss_base_group ou=Group,o=ENGR?one nss_base_netgroup ou=Netgroup,o=ENGR ssl on tls_checkpeer yes /etc/pam.d/common-account: account required pam_access.so account [success=1 default=ignore] pam_unix.so account required pam_ldap.so account required pam_permit.so /etc/pam.d/common-auth: auth required pam_group.so auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass auth required pam_permit.so /etc/pam.d/sudo: auth required pam_group.so auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass config=/etc/pam_ldap.conf.sudo auth required pam_permit.so account [success=1 default=ignore] pam_unix.so account required pam_ldap.so config=/etc/pam_ldap.conf.sudo account required pam_permit.so session required pam_permit.so session required pam_limits.so Relavent Package versions: ii ldap-utils 2.4.23-7.3 OpenLDAP utilities ii libauthen-pam-perl 0.16-2 Perl interface to PAM library ii libgksu2-0 2.0.13~pre1-3 library providing su and sudo functionality ii libkldap4 4:4.4.5-2 library for accessing LDAP ii libldap-2.4-2 2.4.23-7.3 OpenLDAP libraries ii libldap2-dev 2.4.23-7.3 OpenLDAP development libraries ii libnet-ldap-perl 1:0.4001-2 client interface to LDAP servers ii libnss-ldap 264-2.2 NSS module for using LDAP as a naming service ii libpam-ck-connector 0.4.1-4 ConsoleKit PAM module ii libpam-gnome-keyring 2.30.3-5 PAM module to unlock the GNOME keyring upon login ii libpam-krb5 4.3-1 PAM module for MIT Kerberos ii libpam-ldap 184-8.5 Pluggable Authentication Module for LDAP ii libpam-modules 1.1.1-6.1+squeeze1 Pluggable Authentication Modules for PAM ii libpam-runtime 1.1.1-6.1+squeeze1 Runtime support for the PAM library ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules library ii sudo 1.7.4p4-2.squeeze.4 Provide limited super user privileges to specific users
