On Fri, 2022-02-18 at 19:11 -0800, Ryan Tandy wrote: > I removed "pwdMustChange: TRUE" from the policy and then the tests > passed. Not sure if this is the correct fix, but at least I don't > currently see anything in test_pamcmds.expect that would be expecting > a forced reset?
Applying this change makes the autopkgtest pass again (this change has just been merged in Git). That means that the expected functionality of nss-pam-ldapd is tested properly. The tests currently don't test the forced password reset by the user functionality (presence of pwdReset on a user account) and it seems that exact behaviour differs between LDAP server implementations (the password policy controls differ and the return code of the BIND operation may also differ). It seems that currently nslcd (default configuration) rejects the login if a password change is needed on OpenLDAP 2.5. This can be worked around by setting "pam_authc_search NONE" in nslcd.conf which should not cause issues with most OpenLDAP LDAP servers. I plan to upload a new version of the package soon. If anyone has any concerns regarding e.g. insufficient testing of the above use case, please let me know. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part