Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
On Fri, 2022-02-18 at 19:11 -0800, Ryan Tandy wrote: > I removed "pwdMustChange: TRUE" from the policy and then the tests > passed. Not sure if this is the correct fix, but at least I don't > currently see anything in test_pamcmds.expect that would be expecting > a forced reset? Applying this change makes the autopkgtest pass again (this change has just been merged in Git). That means that the expected functionality of nss-pam-ldapd is tested properly. The tests currently don't test the forced password reset by the user functionality (presence of pwdReset on a user account) and it seems that exact behaviour differs between LDAP server implementations (the password policy controls differ and the return code of the BIND operation may also differ). It seems that currently nslcd (default configuration) rejects the login if a password change is needed on OpenLDAP 2.5. This can be worked around by setting "pam_authc_search NONE" in nslcd.conf which should not cause issues with most OpenLDAP LDAP servers. I plan to upload a new version of the package soon. If anyone has any concerns regarding e.g. insufficient testing of the above use case, please let me know. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
[Salvatore Bonaccorso 2022-04-25] > Are there any news on this bug? nss-pam-ldapd is currently hinted for > removal from testing due to this bug (not happened yet though). Today the debian-fbx and kwartz-client packages was removed from testing because they depend on nss-pam-ldapd, due to the latters RC issue. Any hope to have a fixed version of nss-pam-ldapd in unstable soon? -- Happy hacking Petter Reinholdtsen
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
Hi Arthur, On Fri, Feb 18, 2022 at 07:11:24PM -0800, Ryan Tandy wrote: > Hi Arthur, > > sorry for the long delayed followup. > > On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote: > > > However the test_pamcmds script fails with the new version. The login > > > with the correct password fails, the issue seems to be (from > > > nslcd.log): > > > > > > nslcd: [a88611] DEBUG: got > > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) > > > nslcd: [a88611] DEBUG: > > > myldap_search(base="cn=Veronica > > > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", > > > filter="(objectClass=*)") > > > nslcd: [a88611] ldap_result() failed: Insufficient > > > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify > > > password > > > > > > Still looking into it, not sure why the new ppolicy wants the > > > password changed after it was just reset earlier. > > > > Do you know at which step this failed in the test_pamcmds test? In > > general I found ppolicy controls during authentication to be somewhat > > confusing, especially when a password was about to expire or needed to > > be changed. > > It failed on "testing correct password". > > I think the behaviour change is due to ITS#7084: > > https://bugs.openldap.org/show_bug.cgi?id=7084 > https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8 > > With OpenLDAP 2.5, when the user's password is changed in reset_password(), > they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE > and the change is done by the administrator. Exactly like you said, the bind > succeeds but then the search is not permitted. I can't remember whether > nss-pam-ldapd is supposed to show a "password must be changed now" prompt in > this case? > > With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding. I > think the user is forced to change their password only if pwdMustChange and > pwdReset are both set. > > I removed "pwdMustChange: TRUE" from the policy and then the tests passed. > Not sure if this is the correct fix, but at least I don't currently see > anything in test_pamcmds.expect that would be expecting a forced reset? Are there any news on this bug? nss-pam-ldapd is currently hinted for removal from testing due to this bug (not happened yet though). Regards, Salvatore
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
Hi Arthur, sorry for the long delayed followup. On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote: However the test_pamcmds script fails with the new version. The login with the correct password fails, the issue seems to be (from nslcd.log): nslcd: [a88611] DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) nslcd: [a88611] DEBUG: myldap_search(base="cn=Veronica Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)") nslcd: [a88611] ldap_result() failed: Insufficient access: Operations are restricted to bind/unbind/abandon/StartTLS/modify password Still looking into it, not sure why the new ppolicy wants the password changed after it was just reset earlier. Do you know at which step this failed in the test_pamcmds test? In general I found ppolicy controls during authentication to be somewhat confusing, especially when a password was about to expire or needed to be changed. It failed on "testing correct password". I think the behaviour change is due to ITS#7084: https://bugs.openldap.org/show_bug.cgi?id=7084 https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8 With OpenLDAP 2.5, when the user's password is changed in reset_password(), they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE and the change is done by the administrator. Exactly like you said, the bind succeeds but then the search is not permitted. I can't remember whether nss-pam-ldapd is supposed to show a "password must be changed now" prompt in this case? With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding. I think the user is forced to change their password only if pwdMustChange and pwdReset are both set. I removed "pwdMustChange: TRUE" from the policy and then the tests passed. Not sure if this is the correct fix, but at least I don't currently see anything in test_pamcmds.expect that would be expecting a forced reset? Ryan
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
Control: tags -1 + patch Hi Ryan, On Fri, 2021-06-04 at 11:19 -0700, Ryan Tandy wrote: > Hi. The attached patch updates the test slapd config to support > OpenLDAP 2.5 in addition to 2.4. Thanks for the patch. I've applied it in the upstream repo and I plan to make a new release soon. > However the test_pamcmds script fails with the new version. The login > with the correct password fails, the issue seems to be (from > nslcd.log): > > nslcd: [a88611] DEBUG: got > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) > nslcd: [a88611] DEBUG: myldap_search(base="cn=Veronica > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", > filter="(objectClass=*)") > nslcd: [a88611] ldap_result() failed: Insufficient > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify > password > > Still looking into it, not sure why the new ppolicy wants the > password changed after it was just reset earlier. Do you know at which step this failed in the test_pamcmds test? In general I found ppolicy controls during authentication to be somewhat confusing, especially when a password was about to expire or needed to be changed. This heavily depends on the LDAP server implementation but it could be that the bind operation succeeds (with ppolicy control messages) but the search that is done afterwards fails (e.g. because the connection can only be used to change the password). By default nslcd does a search operation to check whether the bind operation was actually successful (there are LDAP servers that, for some bind operations, do not return a proper error but do not have a working session afterwards). This can be configured with the pam_authc_search option. Kind regards, -- -- arthur - art...@arthurdejong.org - https://arthurdejong.org/ -- signature.asc Description: This is a digitally signed message part
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
Hi. The attached patch updates the test slapd config to support OpenLDAP 2.5 in addition to 2.4. However the test_pamcmds script fails with the new version. The login with the correct password fails, the issue seems to be (from nslcd.log): 2.4/good: nslcd: [a88611] DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (No error) nslcd: [a88611] DEBUG: myldap_search(base="cn=Veronica Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)") nslcd: [a88611] DEBUG: ldap_result(): cn=Veronica Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld 2.5/bad: nslcd: [a88611] DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) nslcd: [a88611] DEBUG: myldap_search(base="cn=Veronica Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)") nslcd: [a88611] ldap_result() failed: Insufficient access: Operations are restricted to bind/unbind/abandon/StartTLS/modify password Still looking into it, not sure why the new ppolicy wants the password changed after it was just reset earlier. >From 333260bde9b87cdc5362904f46507ea7ca06bc89 Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Fri, 4 Jun 2021 10:36:23 -0700 Subject: [PATCH] Support running tests with OpenLDAP 2.5 - Change database backend to LMDB - Load external ppolicy schema conditionally --- tests/config.ldif| 16 ++-- tests/setup_slapd.sh | 4 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/config.ldif b/tests/config.ldif index 66ae428..3e1164e 100644 --- a/tests/config.ldif +++ b/tests/config.ldif @@ -10,7 +10,7 @@ olcTimeLimit: unlimited dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} -olcModuleLoad: back_bdb +olcModuleLoad: back_mdb olcModuleLoad: ppolicy dn: cn=schema,cn=config @@ -22,7 +22,7 @@ include: file:///etc/ldap/schema/cosine.ldif include: file:///etc/ldap/schema/nis.ldif include: file:///etc/ldap/schema/inetorgperson.ldif include: file:///etc/ldap/schema/misc.ldif -include: file:///etc/ldap/schema/ppolicy.ldif +#PPOLICY#include: file:///etc/ldap/schema/ppolicy.ldif dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig @@ -83,10 +83,10 @@ olcAccess: to * by * break olcRootDN: cn=admin,cn=config -dn: olcDatabase={1}bdb,cn=config +dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcBdbConfig -olcDatabase: {1}bdb +objectClass: olcmdbConfig +olcDatabase: {1}mdb olcDbDirectory: @BASEDIR@/ldapdb olcSuffix: dc=test,dc=tld olcAccess: to attrs=userPassword @@ -106,13 +106,9 @@ olcAccess: to * olcRootDN: cn=admin,dc=test,dc=tld olcRootPW: test olcDbCheckpoint: 512 30 -olcDbConfig: set_cachesize 0 2097152 0 -olcDbConfig: set_lk_max_objects 1500 -olcDbConfig: set_lk_max_locks 1500 -olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq -dn: olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config +dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy diff --git a/tests/setup_slapd.sh b/tests/setup_slapd.sh index 8f8874f..2534079 100755 --- a/tests/setup_slapd.sh +++ b/tests/setup_slapd.sh @@ -94,6 +94,10 @@ case "$2" in echo "Loading cn=config..." tmpldif=`mktemp -t slapadd.XX` sed "s|@BASEDIR@|$basedir|g" < "$srcdir/config.ldif" > "$tmpldif" +if [ -f /etc/ldap/schema/ppolicy.ldif ] +then + sed -i "s|#PPOLICY#||g" "$tmpldif" +fi slapadd -v -F "$basedir/slapd.d" -b "cn=config" -l "$tmpldif" || (echo " FAILED"; exit 1) rm -f "$tmpldif" echo "Loading dc=test,dc=tld..." -- 2.20.1
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
Source: nss-pam-ldapd Version: 0.9.11-1 Severity: medium Hi there! We're currently working on getting OpenLDAP 2.5 into experimental, so that we can start slowly working on its migration. As a side note, Ubuntu is already planning to ship OpenLDAP 2.5 in the next release (Impish, 21.10). While running autopkgtests against openldap's rdeps, I noticed that nss-pam-ldapd is failing with the following error: Creating blank /tmp/slapd.g4Wq6n slapd environment... done. Loading cn=config... added: "cn=config" (0001) lt_dlopenext failed: (back_bdb) file not found slapadd: could not add entry dn="cn=module{0},cn=config" (line=10): handler exited with 1 FAILED testsuite: cleaning up... Failed to stop pynslcd.service: Unit pynslcd.service not loaded. Cleaning /tmp/slapd.g4Wq6n... done. testsuite: restoring configuration... autopkgtest [23:55:51]: test testsuite: ---] autopkgtest [23:55:51]: test testsuite: - - - - - - - - - - results - - - - - - - - - - testsuiteFAIL non-zero exit status 1 You can find the full log here if you're interested: https://autopkgtest.ubuntu.com/results/autopkgtest-impish-ci-train-ppa-service-4572/impish/amd64/n/nss-pam-ldapd/20210602_235938_b5f64@/log.gz The reason this fails is because OpenLDAP 2.5 has dropped the BDB backend. I believe that the test will need to be ported to LMDB. Thank you, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/ signature.asc Description: PGP signature