libnss-ldap update breaks authentication
package:
libnss-ldap
version:
251-7.2
Also refering to
libpam-ldap_180-1.6
Hi
Stephen,
I just updated
in debian testing today, on a system using pam-ldap for authentication, and
now I've got new issues that broke authentiation for this server. It
seems debian has saved certain configurations and overwritten one or both of
these settings:
1)
/etc/libnss-ldap.conf : rootbinddn
2) the password in
etc/libnss-ldap.secret
This breaks the
authentication credentials when libnss tries to bind to the slapd server.
Certainly the debian package cannot assume during an upgrade that the
password or bind DN is still the same as the original install, and should
instead leave current settings alone on an upgrade unless it prompts me for the
current settings or warns me it will change them.
The libpam-ldap
update has also overwritten the "uri" setting in /etc/pam_ldap.conf, and
enabled the "host" setting (which is not compatible with uri). This
breaks connectivity to the slapd server. I should at least have an
option of using "host" or "uri", and at least be prompted before you update
the conf file on an upgrade.
None of what you are
doing is apparent on an apt-get update/upgrade. There was no
prompt whatsoever that you were about to break access to my system. Even
most packages I've used in the last 7-8 years on debian do not overwrite
critical settings on an upgrade unless they warn me it's
happening.
I consider these
very serious issues. If it were not for debian testing, there would be no
excuse to defend use of debian in a live environment, however this is a very
late stage before release and you should be aware of these obvious sorts of
problems. I've emailed you about the "uri" problem twice in the last two
months. What gives?
Jamie
Reply to: