Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
On Tue, Jan 17, 2017 at 02:46:01PM +0100, Arthur de Jong wrote: >... > This fix is pretty simple and a patch is attached for reference. I will > prepare a fix for unstable and try to get a fix into jessie soon. ping regarding the jessie fix. > Thanks, Thanks Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Control: found -1 nss-pam-ldapd/0.9.4-2 Control: tags -1 + pending On Mon, 2017-01-16 at 12:55 +0100, Thomas Wallrafen wrote: > See the attached ncslcd.conf file (the version before the > upgrade). Thanks for providing the info. I tracked the bug down to a problem in the parsing of the configuration file. The bug itself was present in nss-pam-ldapd at least since 0.7.13 but it could only be triggerred since 0.9.4-2 if you have a tls_cacertdir option specified. This option will most likely be ignored on Debian because I understand that GnuTLS does not use it. It is also not configured by default which probably explained why this was not found earlier. You can probbaly safely remove or comment out the tls_cacertdir option in nslcd.conf without any ill effects. This fix is pretty simple and a patch is attached for reference. I will prepare a fix for unstable and try to get a fix into jessie soon. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- Index: debian/changelog === --- debian/changelog (revision 2159) +++ debian/changelog (working copy) @@ -3,8 +3,10 @@ * recommend ca-certificate which is needed due to adding tls_cacertfile by default (see #750949) and the checking of tls_cacertfile in 0.9.7 (closes: #836720) + * fix parsing of nslcd.conf tls_cacert option in package configuration +(closes: #851564) - -- Arthur de JongWed, 07 Sep 2016 23:10:45 +0200 + -- Arthur de Jong Tue, 17 Jan 2017 14:42:28 +0100 nss-pam-ldapd (0.9.7-1) unstable; urgency=medium Index: debian/nslcd.config === --- debian/nslcd.config (revision 2157) +++ debian/nslcd.config (working copy) @@ -27,7 +27,7 @@ if [ -z "$RET" ] || [ "$force" = "force" ] then # the first part avoids getting options that have an optional MAP parameter -cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]]\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1` +cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]][[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1` [ -n "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value" fi # we're done signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Processing control commands: > found -1 nss-pam-ldapd/0.9.4-2 Bug #851564 [nslcd] nslcd fails to start: postinst sets tls_cacertdir wrong Marked as found in versions nss-pam-ldapd/0.9.4-2. > tags -1 + pending Bug #851564 [nslcd] nslcd fails to start: postinst sets tls_cacertdir wrong Added tag(s) pending. -- 851564: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851564 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Hi, On Mon, Jan 16, 2017 at 12:31:24PM +0100, Arthur de Jong wrote: > Hi, > > On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote: > > The aforementioned setting is probably added to the file via the > > postinstall script of the nslcd package. If one removes the line > > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and > > runs > > # dpkg --configrue -a > > the line reappers and nslcd is still unable to start. > > Can you post your whole nslcd.conf file? See the attached ncslcd.conf file (the version before the upgrade). After the upgrade there is another line added at the end which reads tls_cacertfile dir /etc/ssl/certs/ > Previously there was a > tls_cacert option that got renamed to tls_cacertfile. There is also a > tls_cacertdir option but that should not be used on Debian. > > Also can you provide your debconf settings from > > # debconf-get-selections | grep ^nslcd | grep -v password output as follows: nslcd nslcd/ldap-binddn string cn="Ldap Bind",cn=Users,dc=auth,redacted nslcd nslcd/ldap-starttls boolean false nslcd nslcd/disable-screensaver error nslcd nslcd/ldap-sasl-krb5-ccname string /var/run/nslcd/nslcd.tkt nslcd nslcd/xdm-needs-restart error nslcd nslcd/ldap-base string dc=auth,redacted nslcd nslcd/ldap-reqcert select never nslcd nslcd/ldap-sasl-authzid string nslcd nslcd/restart-services string nslcd nslcd/ldap-uris string ldaps://host1.redacted ldaps://host2.redacted nslcd nslcd/ldap-auth-typeselect simple nslcd nslcd/ldap-sasl-authcid string nslcd nslcd/ldap-sasl-realm string nslcd nslcd/ldap-sasl-mechselect nslcd libraries/restart-without-askingboolean false nslcd nslcd/restart-failederror nslcd nslcd/ldap-sasl-secpropsstring nslcd nslcd/ldap-cacertfile string dir /etc/ssl/certs/ Regards Thomas # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://host1.redacted uri ldaps://host2.redacted # The search base that will be used for all queries. base dc=auth,dc=redacted # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn cn="Ldap Bind",cn=Users,dc=redacted bindpw redacted # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl on tls_cacertdir /etc/ssl/certs/ tls_reqcert never # The search scope. scope sub # Mappings for Active Directory pagesize 1000 referrals off filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mappasswd gecosdisplayName filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)) mapshadow uid sAMAccountName mapshadow shadowLastChange pwdLastSet filter group (&(objectClass=group)(gidNumber=*))
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Hi, On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote: > The aforementioned setting is probably added to the file via the > postinstall script of the nslcd package. If one removes the line > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and > runs > # dpkg --configrue -a > the line reappers and nslcd is still unable to start. Can you post your whole nslcd.conf file? Previously there was a tls_cacert option that got renamed to tls_cacertfile. There is also a tls_cacertdir option but that should not be used on Debian. Also can you provide your debconf settings from # debconf-get-selections | grep ^nslcd | grep -v password Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Package: nslcd Version: 0.9.4-3+deb8u2 Severity: grave Justification: renders package unusable Dear Maintainer, after upgrading Debian Jessie to release 8.7 (from 8.6)the package nslcd renders unusable because the nslcd daemon fails to start The error message as reported by /var/log/daemon.log is: Jan 16 11:45:28 v303855 nslcd[20591]: Starting LDAP connection daemon: nslcdnslcd: /etc/nslcd.conf:52: tls_cacertfile: too may arguments Which references the setting tls_cacertfile dir /etc/ssl/certs/ The aforementioned setting is probably added to the file via the postinstall script of the nslcd package. If one removes the line tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and runs # dpkg --configrue -a the line reappers and nslcd is still unable to start. Regards Thomas Wallrafen -- System Information: Debian Release: 8.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages nslcd depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii libc6 2.19-18+deb8u7 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2 Versions of packages nslcd recommends: ii bind9-host [host] 1:9.9.5.dfsg-9+deb8u9 ii ldap-utils 2.4.40+dfsg-1+deb8u2 iu libnss-ldapd [libnss-ldap] 0.9.4-3+deb8u2 ii libpam-ldap 184-8.7+b1 ii nscd2.19-18+deb8u7 iu nslcd-utils 0.9.4-3+deb8u2 Versions of packages nslcd suggests: pn kstart -- debconf information excluded