Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Adrian Bunk]

On Tue, Jan 17, 2017 at 02:46:01PM +0100, Arthur de Jong wrote:
>...
> This fix is pretty simple and a patch is attached for reference. I will
> prepare a fix for unstable and try to get a fix into jessie soon.

ping regarding the jessie fix.

> Thanks,

Thanks
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Arthur de Jong]

Control: found -1 nss-pam-ldapd/0.9.4-2
Control: tags -1 + pending

On Mon, 2017-01-16 at 12:55 +0100, Thomas Wallrafen wrote:
> See the attached ncslcd.conf file (the version before the
> upgrade).

Thanks for providing the info.

I tracked the bug down to a problem in the parsing of the configuration
file. The bug itself was present in nss-pam-ldapd at least since 0.7.13
but it could only be triggerred since 0.9.4-2 if you have a
tls_cacertdir option specified.

This option will most likely be ignored on Debian because I understand
that GnuTLS does not use it. It is also not configured by default which
probably explained why this was not found earlier.

You can probbaly safely remove or comment out the tls_cacertdir option
in nslcd.conf without any ill effects.

This fix is pretty simple and a patch is attached for reference. I will
prepare a fix for unstable and try to get a fix into jessie soon.

Thanks,

-- 
-- arthur - adej...@debian.org - https://people.debian.org/~adejong --
Index: debian/changelog
===
--- debian/changelog	(revision 2159)
+++ debian/changelog	(working copy)
@@ -3,8 +3,10 @@
   * recommend ca-certificate which is needed due to adding tls_cacertfile by
 default (see #750949) and the checking of tls_cacertfile in 0.9.7
 (closes: #836720)
+  * fix parsing of nslcd.conf tls_cacert option in package configuration
+(closes: #851564)
 
- -- Arthur de Jong   Wed, 07 Sep 2016 23:10:45 +0200
+ -- Arthur de Jong   Tue, 17 Jan 2017 14:42:28 +0100
 
 nss-pam-ldapd (0.9.7-1) unstable; urgency=medium
 
Index: debian/nslcd.config
===
--- debian/nslcd.config	(revision 2157)
+++ debian/nslcd.config	(working copy)
@@ -27,7 +27,7 @@
   if [ -z "$RET" ] || [ "$force" = "force" ]
   then
 # the first part avoids getting options that have an optional MAP parameter
-cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]]\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1`
+cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]][[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1`
 [ -n "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value"
   fi
   # we're done


signature.asc
Description: This is a digitally signed message part

Processed: Re: Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Debian Bug Tracking System]

Processing control commands:

> found -1 nss-pam-ldapd/0.9.4-2
Bug #851564 [nslcd] nslcd fails to start: postinst sets tls_cacertdir wrong
Marked as found in versions nss-pam-ldapd/0.9.4-2.
> tags -1 + pending
Bug #851564 [nslcd] nslcd fails to start: postinst sets tls_cacertdir wrong
Added tag(s) pending.

-- 
851564: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Thomas Wallrafen]

Hi,

On Mon, Jan 16, 2017 at 12:31:24PM +0100, Arthur de Jong wrote:
> Hi,
>
> On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote:
> > The aforementioned setting is probably added to the file via the
> > postinstall script of the nslcd package.  If one removes the line
> > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and
> > runs
> > # dpkg --configrue -a
> > the line reappers and nslcd is still unable to start.
>
> Can you post your whole nslcd.conf file?

See the attached ncslcd.conf file (the version before the
upgrade). After the upgrade there is another line added at the end
which reads
tls_cacertfile dir /etc/ssl/certs/

> Previously there was a
> tls_cacert option that got renamed to tls_cacertfile. There is also a
> tls_cacertdir option but that should not be used on Debian.
>
> Also can you provide your debconf settings from
>
> # debconf-get-selections | grep ^nslcd | grep -v password

output as follows:

nslcd   nslcd/ldap-binddn   string  cn="Ldap Bind",cn=Users,dc=auth,redacted
nslcd   nslcd/ldap-starttls boolean false
nslcd   nslcd/disable-screensaver   error
nslcd   nslcd/ldap-sasl-krb5-ccname string  /var/run/nslcd/nslcd.tkt
nslcd   nslcd/xdm-needs-restart error
nslcd   nslcd/ldap-base string  dc=auth,redacted
nslcd   nslcd/ldap-reqcert  select  never
nslcd   nslcd/ldap-sasl-authzid string
nslcd   nslcd/restart-services  string
nslcd   nslcd/ldap-uris string  ldaps://host1.redacted ldaps://host2.redacted
nslcd   nslcd/ldap-auth-typeselect  simple
nslcd   nslcd/ldap-sasl-authcid string
nslcd   nslcd/ldap-sasl-realm   string
nslcd   nslcd/ldap-sasl-mechselect
nslcd   libraries/restart-without-askingboolean false
nslcd   nslcd/restart-failederror
nslcd   nslcd/ldap-sasl-secpropsstring
nslcd   nslcd/ldap-cacertfile   string  dir /etc/ssl/certs/



Regards

Thomas
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://host1.redacted
uri ldaps://host2.redacted



# The search base that will be used for all queries.
base dc=auth,dc=redacted

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn="Ldap Bind",cn=Users,dc=redacted
bindpw redacted

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl on
tls_cacertdir /etc/ssl/certs/
tls_reqcert never

# The search scope.
scope sub

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd 
(&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
mappasswd uid  sAMAccountName
mappasswd homeDirectoryunixHomeDirectory
mappasswd gecosdisplayName

filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
mapshadow uid  sAMAccountName
mapshadow shadowLastChange pwdLastSet

filter group  (&(objectClass=group)(gidNumber=*))

Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Arthur de Jong]

Hi,

On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote:
> The aforementioned setting is probably added to the file via the
> postinstall script of the nslcd package.  If one removes the line
> tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and
> runs
> # dpkg --configrue -a
> the line reappers and nslcd is still unable to start.

Can you post your whole nslcd.conf file? Previously there was a
tls_cacert option that got renamed to tls_cacertfile. There is also a
tls_cacertdir option but that should not be used on Debian.

Also can you provide your debconf settings from

# debconf-get-selections | grep ^nslcd | grep -v password

Thanks,

-- 
-- arthur - adej...@debian.org - https://people.debian.org/~adejong --


signature.asc
Description: This is a digitally signed message part

Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong

[Thomas Wallrafen]

Package: nslcd
Version: 0.9.4-3+deb8u2
Severity: grave
Justification: renders package unusable

Dear Maintainer,

after upgrading Debian Jessie to release 8.7 (from 8.6)the package nslcd
renders unusable because the nslcd daemon fails to start

The error message as reported by /var/log/daemon.log is:

Jan 16 11:45:28 v303855 nslcd[20591]: Starting LDAP connection daemon:
nslcdnslcd: /etc/nslcd.conf:52: tls_cacertfile: too may arguments

Which references the setting
tls_cacertfile dir /etc/ssl/certs/

The aforementioned setting is probably added to the file via the
postinstall script of the nslcd package.  If one removes the line
tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and runs
# dpkg --configrue -a
the line reappers and nslcd is still unable to start.

Regards

Thomas Wallrafen


-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages nslcd depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  libc6  2.19-18+deb8u7
ii  libgssapi-krb5-2   1.12.1+dfsg-19+deb8u2
ii  libldap-2.4-2  2.4.40+dfsg-1+deb8u2

Versions of packages nslcd recommends:
ii  bind9-host [host]   1:9.9.5.dfsg-9+deb8u9
ii  ldap-utils  2.4.40+dfsg-1+deb8u2
iu  libnss-ldapd [libnss-ldap]  0.9.4-3+deb8u2
ii  libpam-ldap 184-8.7+b1
ii  nscd2.19-18+deb8u7
iu  nslcd-utils 0.9.4-3+deb8u2

Versions of packages nslcd suggests:
pn  kstart  

-- debconf information excluded