Bug#517971: pam: no login for ldapusers after upgrade

[Steve Langasek]

reassign 517971 libpam-ldap
tags 517971
user ubuntu-de...@lists.ubuntu.com
usertags 517971 intrepid origin-ubuntu ubuntu-patch
thanks

On Tue, Mar 03, 2009 at 10:48:55AM +0100, stka wrote:
> Package: libpam-modules
> Version: 1.0.1-6
> Severity: important

> I try to downgrade the packages but there is still no login possible for
> the ldapusers. 

Well apparently, you clicked "yes" when asked "Override local changes to
/etc/pam.d/common-*?" - I'm not sure why you clicked "yes" without first
making sure you understood the question.

Reassigning to libpam-ldap, which needs to implement support for
pam-auth-update in squeeze.  Rick, the attached patch is what's currently
being used by libpam-ldap in Ubuntu.  It sounds like there may be a bug
related to stacking with some other module
(https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/329067), but I'm
not sure why that is - possibly a bug in pam_unix rather than pam_ldap.  I
think this patch is 'good enough' to apply anyway; it should at least get us
more feedback about any other cases not covered here.

More information about the new pam-auth-update tool is available at
<https://wiki.ubuntu.com/PAMConfigFrameworkSpec>.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

diff -u libpam-ldap-184/debian/control libpam-ldap-184/debian/control
--- libpam-ldap-184/debian/control
+++ libpam-ldap-184/debian/control
@@ -7,7 +7,7 @@
 
 Package: libpam-ldap
 Architecture: any
-Depends: ${shlibs:Depends}, debconf (>= 0.5) | debconf-2.0
+Depends: ${shlibs:Depends}, debconf (>= 0.5) | debconf-2.0, libpam-runtime (>= 1.0.1-6)
 Suggests: libnss-ldap 
 Description: Pluggable Authentication Module allowing LDAP interfaces
  This module let's you use you LDAP server to authenticate users with
diff -u libpam-ldap-184/debian/rules libpam-ldap-184/debian/rules
--- libpam-ldap-184/debian/rules
+++ libpam-ldap-184/debian/rules
@@ -26,6 +26,9 @@
 common-binary-post-install-arch::
 	dh_buildinfo
 
+install/libpam-ldap::
+	install -D -m 644 debian/libpam-ldap.pam-auth-update debian/tmp/usr/share/pam-configs/ldap
+
 binary-post-install/libpam-ldap::
 	# rename man page
 	mv $(MY_INSTR_DIR)/usr/share/man/man5/pam_ldap.5 \
@@ -43 +45,0 @@
-
diff -u libpam-ldap-184/debian/libpam-ldap.postinst libpam-ldap-184/debian/libpam-ldap.postinst
--- libpam-ldap-184/debian/libpam-ldap.postinst
+++ libpam-ldap-184/debian/libpam-ldap.postinst
@@ -1,6 +1,8 @@
 #!/bin/sh -e
 
 #DEBHELPER#
+ 
+pam-auth-update --package
 
 PACKAGE=libpam-ldap
 CONFFILE="/etc/pam_ldap.conf"
diff -u libpam-ldap-184/debian/changelog libpam-ldap-184/debian/changelog
--- libpam-ldap-184/debian/changelog
+++ libpam-ldap-184/debian/changelog
@@ -1,3 +1,13 @@
+libpam-ldap (184-7.1) unstable; urgency=low
+
+  * debian/libpam-ldap.{pam-auth-update,install,postinst,prerm},
+    debian/rules: enable pam_ldap by default using the new
+    pam-auth-update support.
+  * debian/control: depend on libpam-runtime (>= 1.0.1-6) for the
+    above.
+
+ -- Steve Langasek <vor...@debian.org>  Tue, 03 Mar 2009 16:26:49 -0800
+
 libpam-ldap (184-7) unstable; urgency=low
 
   * Build-Depend on quilt
diff -u libpam-ldap-184/debian/libpam-ldap.install libpam-ldap-184/debian/libpam-ldap.install
--- libpam-ldap-184/debian/libpam-ldap.install
+++ libpam-ldap-184/debian/libpam-ldap.install
@@ -9,0 +10 @@
+debian/tmp/usr/share/pam-configs/ldap
only in patch2:
unchanged:
--- libpam-ldap-184.orig/debian/libpam-ldap.prerm
+++ libpam-ldap-184/debian/libpam-ldap.prerm
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ]; then
+	pam-auth-update --package --remove ldap
+fi
+
+#DEBHELPER#
+
+exit 0
only in patch2:
unchanged:
--- libpam-ldap-184.orig/debian/libpam-ldap.pam-auth-update
+++ libpam-ldap-184/debian/libpam-ldap.pam-auth-update
@@ -0,0 +1,19 @@
+Name: LDAP Authentication
+Default: yes
+Priority: 128
+Auth-Type: Primary
+Auth-Initial:
+	[success=end default=ignore]	pam_ldap.so
+Auth:
+	[success=end default=ignore]	pam_ldap.so use_first_pass
+Account-Type: Primary
+Account:
+	[success=end default=ignore]	pam_ldap.so
+Password-Type: Primary
+Password-Initial:
+	[success=end user_unknown=ignore default=die]	pam_ldap.so
+Password:
+	[success=end user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
+Session-Type: Additional
+Session:
+	optional			pam_ldap.so