[Pkg-xfce-devel] Bug#735670: lightdm ask ldap administrator password when changing a password expired
Gabriele Pulzato
pecheatwork at gmail.com
Fri Jan 17 11:02:18 UTC 2014
Package: lightdm
Version: 1.2.2-4
Severity: important
Dear Maintainer,
I have a working authentication configuration with ldap on my debian
wheezy workstation. Everything works fine except with lightdm when a
ldap user have to change his password due to expiration. The user is
able to login but in the next prompt, in place of asking new password,
the ldap administrator password is asked. I've seen i have the same
behaviour when i try to change a ldap user password via passwd as
root.
My nslcd configuration doesn't allow local root user to behave like
ldap administrator.
I've tried with gdm3 greeter and it works; it asks for new password
and it allows to change the password properly.
I've seen this different behaviour in auth.log:
with gdm3:
debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:account): expired password for user
test (password aged)
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test
debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded
debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained
debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not
exist in /etc/passwd
with lightdm:
debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test
debian lightdm: pam_ldap(lightdm:auth): authentication succeeded
debian lightdm: pam_unix(lightdm:account): expired password for user
test (password aged)
debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained
debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not
exist in /etc/passwd
debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user=
debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd
As you can see nslcd authentication have user value set in gdm3.
Lightdm have a blank value instead.
I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to
check if it was a greeter problem but the problem remains with both.
-- System Information:
Debian Release: 7.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.8-1+deb7u1
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libpam0g 1.1.3-7.1
ii libxcb1 1.8.1-2+deb7u1
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3~deb7u1
Versions of packages lightdm suggests:
ii accountsservice 0.6.21-8
ii upower 0.9.17-1
-- Configuration Files:
/etc/lightdm/lightdm.conf changed:
[LightDM]
[SeatDefaults]
xserver-allow-tcp=false
greeter-session=lightdm-greeter
greeter-hide-users=true
user-session=gnome-session
session-wrapper=/etc/X11/Xsession
[XDMCPServer]
[VNCServer]
enabled=true
port=5900
width=1024
height=768
depth=8
/etc/pam.d/lightdm changed:
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
In addition to these files my configuration is:
nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldap2
uri ldap://ldap1
base passwd ou=people,dc=myorg
base shadow ou=people,dc=myorg
base group ou=groups,dc=myorg
ldap_version 3
binddn cn=reader,dc=myorg
bindpw readerpass
ssl start_tls
tls_reqcert allow
common-auth:
auth [success=5 default=ignore] pam_unix.so nullok_secure debug
auth [success=3 authinfo_unavail=ignore default=1] pam_ldap.so
minimum_uid=1000 use_first_pass debug
auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass
auth [default=bad] pam_ccreds.so action=update
auth requisite pam_deny.so
auth [default=ignore] pam_ccreds.so action=store
auth required pam_permit.so
common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done authinfo_unavail=1
default=ignore] pam_ldap.so minimum_uid=1000 debug
account requisite pam_deny.so
account required pam_permit.so
common-password:
password [success=2 default=ignore] pam_unix.so obscure sha512 debug
password [success=1 new_authtok_reqd=1 default=ignore]
pam_ldap.so minimum_uid=1000 try_first_pass debug
#password [default=1] pam_ldap.so minimum_uid=1000
try_first_pass debug
password requisite pam_deny.so
password required pam_permit.so
common-session:
session [default=ok] pam_permit.so
session [default=ignore] pam_unix.so
session [default=ignore] pam_ldap.so minimum_uid=1000
session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022
-- debconf information:
lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm
Thank you for support.
More information about the Pkg-xfce-devel
mailing list