Hide Forgot
Description of problem: The automigration comments out critical parts of the configuration file Version-Release number of selected component (if applicable): nss-pam-ldapd-0.7.5-7.el6.x86_64 How reproducible: Every machine I tried it on :( Steps to Reproduce: 1. put custom settings in /etc/nslcd.conf 2. upgrade 3. fail to log in Actual results: nslcd tries to connect to localhost rather than previously defined server Expected results: don't mess with custom settings. Additional info: it commented out these directives: uri, base, base passwd, base shadow, base group, and base hosts and replaces it with: uri ldap://127.0.0.1/ base dc=example,dc=com
What did /etc/nslcd.conf look like before the update was applied?
---- BEFORE: uri ldap://ldap1.dlib.indiana.edu #ldap://ldap2.dlib.indiana.edu base dc=dlib,dc=indiana,dc=edu scope one base passwd ou=people,dc=dlib,dc=indiana,dc=edu base shadow ou=people,dc=dlib,dc=indiana,dc=edu base group ou=groups,dc=dlib,dc=indiana,dc=edu base hosts ou=hosts,dc=dlib,dc=indiana,dc=edu timelimit 120 idle_timelimit 3600 ssl no tls_cacertdir /etc/openldap/cacert ------- ---- After: # uri ldap://ldap1.dlib.indiana.edu #ldap://ldap2.dlib.indiana.edu # base dc=dlib,dc=indiana,dc=edu scope one # base passwd ou=people,dc=dlib,dc=indiana,dc=edu # base shadow ou=people,dc=dlib,dc=indiana,dc=edu # base group ou=groups,dc=dlib,dc=indiana,dc=edu # base hosts ou=hosts,dc=dlib,dc=indiana,dc=edu timelimit 120 idle_timelimit 3600 ssl no tls_cacertdir /etc/openldap/cacert # This comment prevents repeated auto-migration of settings. uri ldap://127.0.0.1/ base dc=example,dc=com -------------
Ah, then the settings were migrated in from /etc/ldap.conf (or /etc/nss-ldapd.conf, or /etc/nss_ldap.conf, or /etc/pam_ldap.conf, most of which system-config-authentication knows to keep up to date) because the comment which is added when that happens wasn't already in /etc/nslcd.conf. Which of the other files was present? Did they contain the right settings?
* nslcd.conf had the correct settings in it * ldap.conf had similar settings (The syntax was different, but the settings were effectively the same) * nss-ldap.conf and nss_ldap.conf don't exist * pam_ldap.conf has the localhost/example.com setup So nslcd.conf and ldap.conf were correct and pam_ldap.conf wasn't (since I use nss for lookups in pam) I'm glad it just commented the lines out (vs erasing them), but it seems that its a bit dangerous to rely on that comment to be in there. I've copied that comment into the setup scripts I use...so that will avoid this issue in the future?
(In reply to comment #5) > I'm glad it just commented the lines out (vs erasing them), but it seems that > its a bit dangerous to rely on that comment to be in there. I've copied that > comment into the setup scripts I use...so that will avoid this issue in the > future? The %post script for the package shouldn't be touching the configuration file if the comment is there, so you should be fine after that. Though it should probably also only happen when the package is first installed.
Nalin, your fix works on i386, but it does not work on 64bit archs (x86_64, s390x and ppc64): 1. yum -y remove nss-pam-ldapd* pam_ldap* 2. rm -f /etc/nslcd.conf* /etc/pam_ldap.conf* 3. getent -s 'passwd:ldap' passwd omoris (return 2, expected) 4. yum -y install pam_ldap pam_ldap.i686 5. cat >/etc/pam_ldap.conf<<EOF uid nslcd gid ldap uri ldap://ldap.corp.redhat.com/ base dc=redhat,dc=com EOF 6. rpm -ihv --force /mnt/qa/scratch/hp-dl180g6-01/2011:11700/tps/new-files*list' 7. service nslcd restart && sleep 5 8. getent -s 'passwd:ldap' passwd omoris' (Expected 0, got 2) Configuration from pam_ldap.conf is not copied into nslcd.conf: /etc/nslcd.conf: # This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldap://127.0.0.1/ # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. base dc=example,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. #bindpw secret # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # NDS mappings #map group uniqueMember member # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSFUHomeDirectory #filter shadow (objectClass=User) #map shadow uid msSFU30Name #map shadow userPassword msSFU30Password #filter group (objectClass=Group) #map group uniqueMember msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #map passwd uid msSFUName #map passwd userPassword msSFUPassword #map passwd homeDirectory msSFUHomeDirectory #map passwd gecos msSFUName #filter shadow (objectClass=User) #map shadow uid msSFUName #map shadow userPassword msSFUPassword #map shadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #map group uniqueMember posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map passwd uid sAMAccountName #map passwd homeDirectory unixHomeDirectory #map passwd gecos displayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map shadow uid sAMAccountName #map shadow shadowLastChange pwdLastSet #filter group (objectClass=group) #map group uniqueMember member # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #map passwd uid userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group uniqueMember member #map group gidNumber gid uid nslcd gid ldap /etc/pam_ldap.conf: uid nslcd gid ldap uri ldap://ldap.corp.redhat.com/ base dc=redhat,dc=com As I have mentioned, on i686 it works fine. The only difference is that on each 64b box one has to install both 64b and 32b version of nss-pam-ldapd and pam_ldap and hence it seems that installation of second nss-pam-ldapd somehow overwrite nslcd.conf back to defaults (it is my guess only).
The nslcd.conf file is marked %config(noreplace), so it shouldn't be overwritten. The %post only migrates the settings if $1 is "1" (indicating that after the transaction is over, only one copy of the package will be installed), which as you've discovered won't trigger if we're installing both versions on a multilib system. Normally I'd suggest moving the multilib piece (the nsswitch module) into a subpackage and making the main package no longer multilib, but I think that would get confusing during upgrades.
(In reply to comment #10) > The nslcd.conf file is marked %config(noreplace), so it shouldn't be > overwritten. The %post only migrates the settings if $1 is "1" (indicating > that after the transaction is over, only one copy of the package will be > installed), which as you've discovered won't trigger if we're installing both > versions on a multilib system. I've put some debug statements into the scriptlets and this is what seems to be happening: 1) nss-pam-ldapd.32bit gets installed. In %post, the $1 is "1" and the config gets migrated 2) nss-pam-ldapd.64bit gets installed and overwrites the config file. In post, the $1 var is "2" (=upgrade), so nothing is migrated I'm not sure why RPM overwrites the config during install of the second package.. Nalin, why not do the migration even on upgrades *if the comment is not found* ? If that doesn't work, can we migrate the config file in %posttrans, maybe based on some flag we set during %post when $1 == 1
(In reply to comment #11) > (In reply to comment #10) > > The nslcd.conf file is marked %config(noreplace), so it shouldn't be > > overwritten. The %post only migrates the settings if $1 is "1" (indicating > > that after the transaction is over, only one copy of the package will be > > installed), which as you've discovered won't trigger if we're installing both > > versions on a multilib system. > > I've put some debug statements into the scriptlets and this is what seems to be > happening: > > 1) nss-pam-ldapd.32bit gets installed. In %post, the $1 is "1" and the config > gets migrated > 2) nss-pam-ldapd.64bit gets installed and overwrites the config file. In post, > the $1 var is "2" (=upgrade), so nothing is migrated > I'm not sure why RPM overwrites the config during install of the second > package.. The file should not be overwritten, as it's marked %config(noreplace). Are you installing both as part of the same transaction, or in two transactions? The right thing appears to happen with the first installation when I install them separately. > Nalin, why not do the migration even on upgrades *if the comment is not found* > ? If the user's doing things manually, nslcd.conf can be correct when pam_ldap.conf isn't, and we'd replace a known-good configuration with defaults which aren't. This is us attempting to avoid that. > If that doesn't work, can we migrate the config file in %posttrans, maybe based > on some flag we set during %post when $1 == 1 Sounds reasonable. We don't appear to have the ability to carry environment settings over from one scriptlet to another, though, so I'm not sure on where you're suggesting that the flags be kept.
(In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #10) > > > The nslcd.conf file is marked %config(noreplace), so it shouldn't be > > > overwritten. The %post only migrates the settings if $1 is "1" (indicating > > > that after the transaction is over, only one copy of the package will be > > > installed), which as you've discovered won't trigger if we're installing both > > > versions on a multilib system. > > > > I've put some debug statements into the scriptlets and this is what seems to be > > happening: > > > > 1) nss-pam-ldapd.32bit gets installed. In %post, the $1 is "1" and the config > > gets migrated > > 2) nss-pam-ldapd.64bit gets installed and overwrites the config file. In post, > > the $1 var is "2" (=upgrade), so nothing is migrated > > I'm not sure why RPM overwrites the config during install of the second > > package.. > > The file should not be overwritten, as it's marked %config(noreplace). Are you > installing both as part of the same transaction, or in two transactions? The > right thing appears to happen with the first installation when I install them > separately. > yum localinstall nss-pam-ldapd.i386 nss-pam-ldapd.x86_64 > > If that doesn't work, can we migrate the config file in %posttrans, maybe based > > on some flag we set during %post when $1 == 1 > > Sounds reasonable. We don't appear to have the ability to carry environment > settings over from one scriptlet to another, though, so I'm not sure on where > you're suggesting that the flags be kept. Then it would have to be in some file, which is ugly and may break things if we failed to clean up this file after a migration, for instance.
Ping... so what? :)
(In reply to comment #14) > Ping... so what? :) Unless Nalin has objections, I'd like to ask the RPM maintainer for suggestions tomorrow. Maybe there's a better solution we're just overlooking.
OK so the RPM maintainer educated me that in RHEL6(*) we have basically two options: 1) the %posttrans hack. Use a file in /var/run as a flag as whether the %posttrans scriptlet already ran or not. Apparently this is used at least by texlive. 2) move the config file (and wheatever else must be on system only once) into a noarch subpackage. In my opinion, 1) is a hack, but probably less work and less probability of things breaking down on upgrade. 2) is technically a better solution, but we would have to handle Provides/Obsoletes correctly which might be fragile. It might also be too late for introducing a new subpackage at this point of 6.2. Thoughts (also from QE as per what's better testable for you) are welcome. * RHEL7 RPM will apparently have the concept of "collections" that solves this use-case better
Jakub, I am definitely for the first proposed solution. Although the second one seems to be clearer, I cannot imagine that we can introduce a new sub-package in the current development/testing phase of RHEL6.2.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1705.html