[Pkg-openldap-devel] Bug#790488: Additional Information
Ryan Tandy
ryan at nardis.ca
Mon Jul 20 22:19:34 UTC 2015
Control: reassign -1 libpam-ldap/184-8.7+b1
Hi,
On Mon, Jul 20, 2015 at 03:36:42PM -0500, William Thomas wrote:
>After various testing, I have determined the issue is with libldap.
>If a wheezy system is upgraded to the backports version
>2.4.31+really2.4.40+dfsg-1~bpo70+1 it starts to exhibit the behaviour.
>And if a jessie system is downgraded to 2.4.31-2 it stops exhibiting
>the issue.
I expect that what you are seeing is a result of fixing bug #368297.
pam_ldap quite explicitly tries to bind with the rootbinddn first, and
only falls back to binding as the user if that fails:
https://github.com/PADL/pam_ldap/blob/master/pam_ldap.c#L3097
However, the specific combination of a setuid-root program (such as
passwd) and TLS provided by GnuTLS linked against gcrypt is known to be
troublesome (#368297 and many others), because gcrypt unconditionally
drops root privileges if it has them.
This has been fixed in 2.4.40 (jessie and wheezy-backports) by using a
newer gnutls that links nettle instead of gcrypt; however, you're now
exposed to that choice by pam_ldap to prefer to bind as root when
changing passwords.
I'm reassigning this back to libpam-ldap since IMO the correct fix is to
have it prefer to bind as the user when changing its own password.
I would note, though, that lib{pam,nss}-ldap are not really maintained
any more, and it would be a good idea to investigate alternatives such
as lib{pam,nss}-ldapd or sssd.
Hope that helps,
Ryan
More information about the Pkg-openldap-devel
mailing list