Marking as public as the change was released into Debian, in LightDM releases and is in public branches.
** Description changed: - Package: lightdm - Version: 1.2.2-4 - Severity: important + [Impact] + LightDM does not correctly use PAM to change users passwords when they expire. This causes some PAM modules (e.g. pam_ldap) to not correctly perform password changing. - Dear Maintainer, - I have a working authentication configuration with ldap on my debian - wheezy workstation. Everything works fine except with lightdm when a - ldap user have to change his password due to expiration. The user is - able to login but in the next prompt, in place of asking new password, - the ldap administrator password is asked. I've seen i have the same - behaviour when i try to change a ldap user password via passwd as - root. - My nslcd configuration doesn't allow local root user to behave like - ldap administrator. - I've tried with gdm3 greeter and it works; it asks for new password - and it allows to change the password properly. - I've seen this different behaviour in auth.log: + [Test Case] + 1. Setup LDAP logins + 2. Expire users password + 3. Attempt to log into greeter + Expected result: + - User is prompted to change password. Password limitations are correctly enforced. + Observed result: + - User is prompted to change password. Password limitations are not correctly enforced. - with gdm3: - - debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test - debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded - debian gdm3][10414]: pam_unix(gdm3:account): expired password for user - test (password aged) - debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained - debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not - exist in /etc/passwd - debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test - debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded - debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained - debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not - exist in /etc/passwd - - with lightdm: - - debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test - debian lightdm: pam_ldap(lightdm:auth): authentication succeeded - debian lightdm: pam_unix(lightdm:account): expired password for user - test (password aged) - debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained - debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not - exist in /etc/passwd - debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user= - debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd - - As you can see nslcd authentication have user value set in gdm3. - Lightdm have a blank value instead. - - I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to - check if it was a greeter problem but the problem remains with both. - - - -- System Information: - Debian Release: 7.3 - APT prefers stable-updates - APT policy: (500, 'stable-updates'), (500, 'stable') - Architecture: i386 (i686) - - Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) - Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) - Shell: /bin/sh linked to /bin/dash - - Versions of packages lightdm depends on: - ii adduser 3.113+nmu3 - ii consolekit 0.4.5-3.1 - ii dbus 1.6.8-1+deb7u1 - ii debconf [debconf-2.0] 1.5.49 - ii libc6 2.13-38 - ii libglib2.0-0 2.33.12+really2.32.4-5 - ii libpam0g 1.1.3-7.1 - ii libxcb1 1.8.1-2+deb7u1 - ii libxdmcp6 1:1.1.1-1 - ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2 - - Versions of packages lightdm recommends: - ii xserver-xorg 1:7.7+3~deb7u1 - - Versions of packages lightdm suggests: - ii accountsservice 0.6.21-8 - ii upower 0.9.17-1 - - -- Configuration Files: - /etc/lightdm/lightdm.conf: - [LightDM] - [SeatDefaults] - xserver-allow-tcp=false - greeter-session=lightdm-greeter - greeter-hide-users=true - user-session=gnome-session - session-wrapper=/etc/X11/Xsession - [XDMCPServer] - [VNCServer] - enabled=true - port=5900 - width=1024 - height=768 - depth=8 - - /etc/pam.d/lightdm: - auth requisite pam_nologin.so - auth required pam_env.so readenv=1 - auth required pam_env.so readenv=1 envfile=/etc/default/locale - @include common-auth - @include common-account - session [success=ok ignore=ignore module_unknown=ignore default=bad] - pam_selinux.so close - session required pam_limits.so - session required pam_loginuid.so - @include common-session - session [success=ok ignore=ignore module_unknown=ignore default=bad] - pam_selinux.so open - @include common-password - - In addition to these files my configuration is: - - nslcd.conf: - uid nslcd - gid nslcd - uri ldap://ldap2 - uri ldap://ldap1 - base passwd ou=people,dc=myorg - base shadow ou=people,dc=myorg - base group ou=groups,dc=myorg - ldap_version 3 - binddn cn=reader,dc=myorg - bindpw readerpass - ssl start_tls - tls_reqcert allow - - common-auth: - - auth [success=5 default=ignore] pam_unix.so nullok_secure debug - auth [success=3 authinfo_unavail=ignore default=1] pam_ldap.so - minimum_uid=1000 use_first_pass debug - auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass - auth [default=bad] pam_ccreds.so action=update - auth requisite pam_deny.so - auth [default=ignore] pam_ccreds.so action=store - auth required pam_permit.so - - common-account: - - account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so - account [success=1 new_authtok_reqd=done authinfo_unavail=1 - default=ignore] pam_ldap.so minimum_uid=1000 debug - account requisite pam_deny.so - account required pam_permit.so - - common-password: - - password [success=2 default=ignore] pam_unix.so obscure sha512 debug - password [success=1 new_authtok_reqd=1 default=ignore] - pam_ldap.so minimum_uid=1000 try_first_pass debug - #password [default=1] pam_ldap.so minimum_uid=1000 - try_first_pass debug - password requisite pam_deny.so - password required pam_permit.so - - common-session: - - session [default=ok] pam_permit.so - session [default=ignore] pam_unix.so - session [default=ignore] pam_ldap.so minimum_uid=1000 - session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022 - - -- debconf information: - lightdm/daemon_name: /usr/sbin/lightdm - * shared/default-x-display-manager: lightdm - - Thank you for support. + [Regression Potential] + Any PAM module that relied on the previous incorrect behaviour might behave differently. It is not expected that any module would intentionally do this. ** Information type changed from Private to Public -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1270118 Title: lightdm ask ldap administrator password when changing an expired password Status in Light Display Manager: Fix Committed Status in Light Display Manager 1.2 series: Fix Released Status in Light Display Manager 1.4 series: Fix Released Status in Light Display Manager 1.8 series: Fix Released Status in “lightdm” package in Ubuntu: Triaged Status in “lightdm” source package in Precise: In Progress Status in “lightdm” source package in Saucy: Triaged Status in “lightdm” package in Debian: Fix Released Bug description: [Impact] LightDM does not correctly use PAM to change users passwords when they expire. This causes some PAM modules (e.g. pam_ldap) to not correctly perform password changing. [Test Case] 1. Setup LDAP logins 2. Expire users password 3. Attempt to log into greeter Expected result: - User is prompted to change password. Password limitations are correctly enforced. Observed result: - User is prompted to change password. Password limitations are not correctly enforced. [Regression Potential] Any PAM module that relied on the previous incorrect behaviour might behave differently. It is not expected that any module would intentionally do this. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1270118/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
