Bug#588434: libpam-ldap: unable to change password in default configuration

2016-12-15 Thread Evan King 

Some details I neglected to mention:

 - Whether pam_encryptfs is installed/configured has no effect.
 - My /etc/nsswitch.conf file is almost identical:

passwd: files ldap
group:  files ldap
shadow: files ldap
+gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis

The gshadow line is additional on the bad host, but removing it (or 
adding it to the good host) has no effect.


Differences in packages installed related to ldap:

root@goodhost:/etc/pam.d# apt search ldap | grep installed
auth-client-config/xenial,xenial,now 0.9ubuntu1 all [installed,automatic]
curl/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2 amd64 [installed]
+dovecot-ldap/xenial-updates,now 1:2.2.22-1ubuntu2.2 amd64 [installed]
ldap-auth-client/xenial,xenial,now 0.5.3 all [installed]
ldap-auth-config/xenial,xenial,now 0.5.3 all [installed]
ldap-utils/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
+libaprutil1-ldap/xenial,now 1.5.4-1build1 amd64 [installed,automatic]
+libcurl3/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2 amd64 
[installed,automatic]
libcurl3-gnutls/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2 
amd64 [installed]

libldap-2.4-2/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
libldb1/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed]
libnss-ldap/xenial,now 265-3ubuntu2 amd64 [installed]
libpam-ldap/xenial,now 184-8.7ubuntu1 amd64 [installed]
+libsasl2-modules-ldap/xenial,now 2.1.26.dfsg1-14build1 amd64 [installed]
+monit/xenial,now 1:5.16-2 amd64 [installed]
+php5-ldap/now 5.5.9+dfsg-1ubuntu4.20 amd64 [installed,local]
+postfix-ldap/xenial,now 3.1.0-3 amd64 [installed]
+python-ldap/xenial,now 2.4.22-0.1 amd64 [installed]
python-ldb/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed]
sudo/xenial-updates,now 1.8.16-0ubuntu1.2 amd64 [installed]

root@badhost:/etc/pam.d# apt search ldap | grep installed
auth-client-config/xenial,now 0.9ubuntu1 all [installed,automatic]
curl/xenial-security,xenial-updates,now 7.47.0-1ubuntu2.2 amd64 
[installed,automatic]

ldap-auth-client/xenial,now 0.5.3 all [installed,automatic]
ldap-auth-config/xenial,now 0.5.3 all [installed,automatic]
ldap-utils/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
libcurl3-gnutls/xenial-security,xenial-updates,now 7.47.0-1ubuntu2.2 
amd64 [installed,automatic]
libldap-2.4-2/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 
[installed,automatic]

libldb1/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed,automatic]
libnet-ldap-perl/xenial,now 1:0.6500+dfsg-1 all [installed,automatic]
libnss-ldap/xenial,now 265-3ubuntu2 amd64 [installed]
libpam-ldap/xenial,now 184-8.7ubuntu1 amd64 [installed]
libslp1/xenial,now 1.2.1-11 amd64 [installed,automatic]
python-ldb/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed,automatic]
+slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
+slapd-smbk5pwd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
sudo/xenial-updates,now 1.8.16-0ubuntu1.2 amd64 [installed]

I toyed with the possibility that sasl might be the missing piece to no 
avail.  Frankly I hope it's not.


Cheers,
 - Evan

Bug#588434: libpam-ldap: unable to change password in default configuration

2015-02-01 Thread Ilkka Virta 
After spending some hours trying to find the cause from my ldap 
configuration, I'm happy to tell you this problem still exists in Debian 
7.8 with the default configuration (generated by pam-auth-update):


/etc/pam.d/common-password:

password[success=2 default=ignore]  pam_unix.so obscure use_authtok 
try_first_pass sha512
password[success=1 user_unknown=ignore default=die] pam_ldap.so 
use_authtok try_first_pass



As mentioned earlier in this bug, installing libpam-cracklib removes the 
problem. So does removing use_authtok from the pam_ldap.so line in

/etc/pam.d/common-password .

I don't see either solution mentioned in the docs, and libpam-ldap 
doesn't seem depend on, recommend or suggest libpam-cracklib either.



I quickly tested what happens if cracklib is installed, but use_authtok 
is removed anyway, and didn't see any new problems appear. But perhaps 
someone who knows PAM better might comment on why use_authtok is 
needed/useful.



libldap-2.4-2:amd64  2.4.31-1+nmu2
libnss-ldap:amd64264-2.5
libpam-ldap:amd64184-8.6
libpam-cracklib:amd641.1.3-7.1


cheers,

--
Ilkka Virta - itvirta at iki.fi


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org