Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-08-27 Thread Arthur de Jong 
On Fri, 2022-02-18 at 19:11 -0800, Ryan Tandy wrote:
> I removed "pwdMustChange: TRUE" from the policy and then the tests 
> passed. Not sure if this is the correct fix, but at least I don't 
> currently see anything in test_pamcmds.expect that would be expecting
> a forced reset?

Applying this change makes the autopkgtest pass again (this change has
just been merged in Git). That means that the expected functionality of
nss-pam-ldapd is tested properly.

The tests currently don't test the forced password reset by the user
functionality (presence of pwdReset on a user account) and it seems
that exact behaviour differs between LDAP server implementations (the
password policy controls differ and the return code of the BIND
operation may also differ).

It seems that currently nslcd (default configuration) rejects the login
if a password change is needed on OpenLDAP 2.5. This can be worked
around by setting "pam_authc_search NONE" in nslcd.conf which should
not cause issues with most OpenLDAP LDAP servers.

I plan to upload a new version of the package soon. If anyone has any
concerns regarding e.g. insufficient testing of the above use case,
please let me know.

Kind regards,

-- 
-- arthur - adej...@debian.org - https://people.debian.org/~adejong --



signature.asc
Description: This is a digitally signed message part

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-05-27 Thread Petter Reinholdtsen 
[Salvatore Bonaccorso 2022-04-25]
> Are there any news on this bug? nss-pam-ldapd is currently hinted for
> removal from testing due to this bug (not happened yet though).

Today the debian-fbx and kwartz-client packages was removed from testing
because they depend on nss-pam-ldapd, due to the latters RC issue.  Any
hope to have a fixed version of nss-pam-ldapd in unstable soon?
-- 
Happy hacking
Petter Reinholdtsen

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-04-25 Thread Salvatore Bonaccorso 
Hi Arthur,

On Fri, Feb 18, 2022 at 07:11:24PM -0800, Ryan Tandy wrote:
> Hi Arthur,
> 
> sorry for the long delayed followup.
> 
> On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote:
> > > However the test_pamcmds script fails with the new version. The login
> > > with the correct password fails, the issue seems to be (from
> > > nslcd.log):
> > > 
> > > nslcd: [a88611]  DEBUG: got 
> > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
> > > nslcd: [a88611]  DEBUG: 
> > > myldap_search(base="cn=Veronica 
> > > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", 
> > > filter="(objectClass=*)")
> > > nslcd: [a88611]  ldap_result() failed: Insufficient 
> > > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify 
> > > password
> > > 
> > > Still looking into it, not sure why the new ppolicy wants the
> > > password changed after it was just reset earlier.
> > 
> > Do you know at which step this failed in the test_pamcmds test? In
> > general I found ppolicy controls during authentication to be somewhat
> > confusing, especially when a password was about to expire or needed to
> > be changed.
> 
> It failed on "testing correct password".
> 
> I think the behaviour change is due to ITS#7084:
> 
> https://bugs.openldap.org/show_bug.cgi?id=7084
> https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8
> 
> With OpenLDAP 2.5, when the user's password is changed in reset_password(),
> they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE
> and the change is done by the administrator. Exactly like you said, the bind
> succeeds but then the search is not permitted. I can't remember whether
> nss-pam-ldapd is supposed to show a "password must be changed now" prompt in
> this case?
> 
> With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding.  I
> think the user is forced to change their password only if pwdMustChange and
> pwdReset are both set.
> 
> I removed "pwdMustChange: TRUE" from the policy and then the tests passed.
> Not sure if this is the correct fix, but at least I don't currently see
> anything in test_pamcmds.expect that would be expecting a forced reset?

Are there any news on this bug? nss-pam-ldapd is currently hinted for
removal from testing due to this bug (not happened yet though).

Regards,
Salvatore

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2022-02-18 Thread Ryan Tandy 

Hi Arthur,

sorry for the long delayed followup.

On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote:

However the test_pamcmds script fails with the new version. The login
with the correct password fails, the issue seems to be (from
nslcd.log):

nslcd: [a88611]  DEBUG: got 
LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
nslcd: [a88611]  DEBUG: myldap_search(base="cn=Veronica 
Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)")
nslcd: [a88611]  ldap_result() failed: Insufficient access: 
Operations are restricted to bind/unbind/abandon/StartTLS/modify password

Still looking into it, not sure why the new ppolicy wants the
password changed after it was just reset earlier.


Do you know at which step this failed in the test_pamcmds test? In
general I found ppolicy controls during authentication to be somewhat
confusing, especially when a password was about to expire or needed to
be changed.


It failed on "testing correct password".

I think the behaviour change is due to ITS#7084:

https://bugs.openldap.org/show_bug.cgi?id=7084
https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8

With OpenLDAP 2.5, when the user's password is changed in 
reset_password(), they get pwdReset: TRUE added, because the policy has 
pwdMustChange: TRUE and the change is done by the administrator. Exactly 
like you said, the bind succeeds but then the search is not permitted. I 
can't remember whether nss-pam-ldapd is supposed to show a "password 
must be changed now" prompt in this case?


With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding.  
I think the user is forced to change their password only if 
pwdMustChange and pwdReset are both set.


I removed "pwdMustChange: TRUE" from the policy and then the tests 
passed. Not sure if this is the correct fix, but at least I don't 
currently see anything in test_pamcmds.expect that would be expecting a 
forced reset?


Ryan

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2021-11-14 Thread Arthur de Jong 
Control: tags -1 + patch

Hi Ryan,

On Fri, 2021-06-04 at 11:19 -0700, Ryan Tandy wrote:
> Hi. The attached patch updates the test slapd config to support
> OpenLDAP 2.5 in addition to 2.4.

Thanks for the patch. I've applied it in the upstream repo and I plan
to make a new release soon.

> However the test_pamcmds script fails with the new version. The login
> with the correct password fails, the issue seems to be (from
> nslcd.log):
> 
> nslcd: [a88611]  DEBUG: got 
> LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
> nslcd: [a88611]  DEBUG: myldap_search(base="cn=Veronica 
> Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", 
> filter="(objectClass=*)")
> nslcd: [a88611]  ldap_result() failed: Insufficient 
> access: Operations are restricted to bind/unbind/abandon/StartTLS/modify 
> password
> 
> Still looking into it, not sure why the new ppolicy wants the
> password changed after it was just reset earlier.

Do you know at which step this failed in the test_pamcmds test? In
general I found ppolicy controls during authentication to be somewhat
confusing, especially when a password was about to expire or needed to
be changed.

This heavily depends on the LDAP server implementation but it could be
that the bind operation succeeds (with ppolicy control messages) but
the search that is done afterwards fails (e.g. because the connection
can only be used to change the password). By default nslcd does a
search operation to check whether the bind operation was actually
successful (there are LDAP servers that, for some bind operations, do
not return a proper error but do not have a working session
afterwards). This can be configured with the pam_authc_search option.

Kind regards,

-- 
-- arthur - art...@arthurdejong.org - https://arthurdejong.org/ --



signature.asc
Description: This is a digitally signed message part

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2021-06-04 Thread Ryan Tandy 
Hi. The attached patch updates the test slapd config to support OpenLDAP 
2.5 in addition to 2.4.


However the test_pamcmds script fails with the new version. The login 
with the correct password fails, the issue seems to be (from nslcd.log):


2.4/good:

nslcd: [a88611]  DEBUG: got 
LDAP_CONTROL_PASSWORDPOLICYRESPONSE (No error)
nslcd: [a88611]  DEBUG: myldap_search(base="cn=Veronica 
Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)")
nslcd: [a88611]  DEBUG: ldap_result(): cn=Veronica 
Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld

2.5/bad:

nslcd: [a88611]  DEBUG: got 
LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
nslcd: [a88611]  DEBUG: myldap_search(base="cn=Veronica 
Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)")
nslcd: [a88611]  ldap_result() failed: Insufficient access: 
Operations are restricted to bind/unbind/abandon/StartTLS/modify password

Still looking into it, not sure why the new ppolicy wants the password 
changed after it was just reset earlier.
>From 333260bde9b87cdc5362904f46507ea7ca06bc89 Mon Sep 17 00:00:00 2001
From: Ryan Tandy 
Date: Fri, 4 Jun 2021 10:36:23 -0700
Subject: [PATCH] Support running tests with OpenLDAP 2.5

- Change database backend to LMDB
- Load external ppolicy schema conditionally
---
 tests/config.ldif| 16 ++--
 tests/setup_slapd.sh |  4 
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/tests/config.ldif b/tests/config.ldif
index 66ae428..3e1164e 100644
--- a/tests/config.ldif
+++ b/tests/config.ldif
@@ -10,7 +10,7 @@ olcTimeLimit: unlimited
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
 cn: module{0}
-olcModuleLoad: back_bdb
+olcModuleLoad: back_mdb
 olcModuleLoad: ppolicy
 
 dn: cn=schema,cn=config
@@ -22,7 +22,7 @@ include: file:///etc/ldap/schema/cosine.ldif
 include: file:///etc/ldap/schema/nis.ldif
 include: file:///etc/ldap/schema/inetorgperson.ldif
 include: file:///etc/ldap/schema/misc.ldif
-include: file:///etc/ldap/schema/ppolicy.ldif
+#PPOLICY#include: file:///etc/ldap/schema/ppolicy.ldif
 
 dn: cn=samba,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -83,10 +83,10 @@ olcAccess: to *
   by * break
 olcRootDN: cn=admin,cn=config
 
-dn: olcDatabase={1}bdb,cn=config
+dn: olcDatabase={1}mdb,cn=config
 objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: {1}bdb
+objectClass: olcmdbConfig
+olcDatabase: {1}mdb
 olcDbDirectory: @BASEDIR@/ldapdb
 olcSuffix: dc=test,dc=tld
 olcAccess: to attrs=userPassword
@@ -106,13 +106,9 @@ olcAccess: to *
 olcRootDN: cn=admin,dc=test,dc=tld
 olcRootPW: test
 olcDbCheckpoint: 512 30
-olcDbConfig: set_cachesize 0 2097152 0
-olcDbConfig: set_lk_max_objects 1500
-olcDbConfig: set_lk_max_locks 1500
-olcDbConfig: set_lk_max_lockers 1500
 olcDbIndex: objectClass eq
 
-dn: olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config
+dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcPPolicyConfig
 olcOverlay: {0}ppolicy
diff --git a/tests/setup_slapd.sh b/tests/setup_slapd.sh
index 8f8874f..2534079 100755
--- a/tests/setup_slapd.sh
+++ b/tests/setup_slapd.sh
@@ -94,6 +94,10 @@ case "$2" in
 echo "Loading cn=config..."
 tmpldif=`mktemp -t slapadd.XX`
 sed "s|@BASEDIR@|$basedir|g" < "$srcdir/config.ldif" > "$tmpldif"
+if [ -f /etc/ldap/schema/ppolicy.ldif ]
+then
+  sed -i "s|#PPOLICY#||g" "$tmpldif"
+fi
 slapadd -v -F "$basedir/slapd.d" -b "cn=config" -l "$tmpldif" || (echo " FAILED"; exit 1)
 rm -f "$tmpldif"
 echo "Loading dc=test,dc=tld..."
-- 
2.20.1

Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5

2021-06-02 Thread Sergio Durigan Junior 
Source: nss-pam-ldapd
Version: 0.9.11-1
Severity: medium

Hi there!

We're currently working on getting OpenLDAP 2.5 into experimental, so
that we can start slowly working on its migration.  As a side note,
Ubuntu is already planning to ship OpenLDAP 2.5 in the next release
(Impish, 21.10).

While running autopkgtests against openldap's rdeps, I noticed that
nss-pam-ldapd is failing with the following error:

  Creating blank /tmp/slapd.g4Wq6n slapd environment... done.
  Loading cn=config...
  added: "cn=config" (0001)
  lt_dlopenext failed: (back_bdb) file not found
  slapadd: could not add entry dn="cn=module{0},cn=config" (line=10): 
 handler exited with 1
   FAILED
  testsuite: cleaning up...
  Failed to stop pynslcd.service: Unit pynslcd.service not loaded.
  Cleaning /tmp/slapd.g4Wq6n... done.
  testsuite: restoring configuration...
  autopkgtest [23:55:51]: test testsuite: ---]
  autopkgtest [23:55:51]: test testsuite:  - - - - - - - - - - results - - - - 
- - - - - -
  testsuiteFAIL non-zero exit status 1

You can find the full log here if you're interested:

https://autopkgtest.ubuntu.com/results/autopkgtest-impish-ci-train-ppa-service-4572/impish/amd64/n/nss-pam-ldapd/20210602_235938_b5f64@/log.gz

The reason this fails is because OpenLDAP 2.5 has dropped the BDB
backend.  I believe that the test will need to be ported to LMDB.

Thank you,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/


signature.asc
Description: PGP signature