After upgrading UCS 5.0-7 to UCS 5.2-0 the pam configuration file `/etc/pam.d/common-session-noninteractive` still contains the pam module `pam_ldap.so`. The pam module `pam_ldap.so` is provided by the package `libpam-ldap` which is not available on UCS 5.2-0. During the upgrade from UCS 5.0-7 to UCS 5.2-0, the `libpam-runtime` detects that some of its configuration files (/etc/pam.d/common-*) were adjusted (they were created from UCR templates). Because of that, it decides not to overwrite the config files in `/etc/pam.d/` during the update. `/etc/pam.d/common-session-noninteractive` is the only /etc/pam.d/common-* file that is not generated from a UCR template. All other /etc/pam.d/common-* files get updated by their UCR template during the UCS upgrade. This is the reason why this file is the only one that still contains the `pam_ldap.so` entry. This issue was detected by test `01_base.04check_pam_modules` during the "UCS 5.2 upgrade tests" (jenkins) Generating `/etc/pam.d/common-session-noninteractive` from a UCR template solves this issue.
UCS 5.2: univention-pam (15.0.11) 9817a6e9a064 | Bug #57298: add UCR template for pam config file `/etc/pam.d/common-session-noninteractive`