Control: tags -1 + pending On Mon, 2021-12-20 at 22:03 +0100, Thomas Fargeix wrote: > The postinst script of nslcd silently modifies the configuration file > /etc/nslcd.conf on package upgrades. It rewrites or adds settings > without notification to the administrator.
Thanks for this report. > In my case, the script appended "base dc=olddomain,dc=example,dc=org" > during the dist-upgrade from Buster to Bullseye. After reboot, remote > and local login to the server was broken except for root due to this > change. The base option is used by nslcd for both the post-login check (pam_authc_search) as well as the authorisation check (pam_authz_check). If you don't specify one on start-up nslcd will contact the LDAP server and try to get one from the server. It turns out that the debconf scripts were not expecting the base option to be absent from nslcd.conf causing an old cached version of the value to be used. > It also failed to consider the more precise "bases" that were already > configured. The debconf configuration does not support changing these options but they should be retained on any changes that happen through debconf. > I would have expected the script to not modify the existing > configuration or at least to warn me it had been modified. I've had a quick look into adding logging (which would be nice) but that would require some restructuring in the postinst script because we now use sed to change nslcd.conf unconditionally. The postinst is already overly complex and I would like to avoid making it even longer. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
