Debian Bug report logs - #591773
nslcd: Only suggest libpam-ldapd or list alternatives?

version graph

Package: nslcd; Maintainer for nslcd is Arthur de Jong <adejong@debian.org>; Source for nslcd is src:nss-pam-ldapd.

Reported by: Petter Reinholdtsen <pere@hungry.com>

Date: Thu, 5 Aug 2010 13:21:01 UTC

Severity: important

Tags: patch

Found in version nss-pam-ldapd/0.7.7

Fixed in version nss-pam-ldapd/0.7.8

Done: Arthur de Jong <adejong@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#591773; Package nslcd. (Thu, 05 Aug 2010 13:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
New Bug report received and forwarded. Copy sent to Arthur de Jong <adejong@debian.org>. (Thu, 05 Aug 2010 13:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: submit@bugs.debian.org
Subject: nslcd: Only suggest libpam-ldapd or list alternatives?
Date: Thu, 5 Aug 2010 15:18:30 +0200
Package:  nslcd
Version:  0.7.7
Severity: important
Tags:     patch
User:     debian-edu@lists.debian.org
UserTags: debian-edu

I ran into this problem with Debian Edu, where we use LDAP and
Kerberos together.  When installing Debian Edu using debian-installer,
both libpam-ldapd and libpam-krb5 is installed, causing the PAM
configuration to be set up with both LDAP and Kerberos authentication,
when we only want to use Kerberos.

The cause is that our tasksel tasks list both libnss-ldapd and
libpam-krb5 as packages to install, and this causes aptitude to
install libpam-ldapd too.  libpam-ldapd is pulled in because it is
recommended by nslcd, and nslcd is pulled in as a dependency of
libnss-ldapd.

Would it be OK to change the recommend in nslcd on libpam-ldapd to a
suggests, or perhaps change it to something like this:

  Recommends: nscd, libnss-ldapd, libpam-ldapd | libpam-krb5 | libpam-sss

I would like to have libpam-sss listed there too, as we experiment
with libpam-sss on roaming workstations and do not want libpam-ldapd
on that profile either. :)

A more scalable solution might be to introduce a virtual package for
pam modules providing authentication (say pam-authentication), and use

  Recommends: nscd, libnss-ldapd, libpam-ldapd | pam-authentication

after getting libpam-krb5 and lbipam-sss to provide such virtual
package, but I am afraid we in the Debian Edu subgroup do not have
time to wait for such feature to arrive as we need to have the PAM
setup working properly out of the box before Squeeze freezes.  I
expect trying to introduce a new virtual package name will require
some discussion and coordination, and probably take several months to
complete.

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#591773; Package nslcd. (Sat, 14 Aug 2010 16:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 591773@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Sat, 14 Aug 2010 16:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 591773@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>, 591773@bugs.debian.org
Subject: Re: Bug#591773: nslcd: Only suggest libpam-ldapd or list alternatives?
Date: Sat, 14 Aug 2010 18:18:26 +0200
[Message part 1 (text/plain, inline)]
tags 591773 + pending
thanks

On Thu, 2010-08-05 at 15:18 +0200, Petter Reinholdtsen wrote:
> I ran into this problem with Debian Edu, where we use LDAP and
> Kerberos together.  When installing Debian Edu using debian-installer,
> both libpam-ldapd and libpam-krb5 is installed, causing the PAM
> configuration to be set up with both LDAP and Kerberos authentication,
> when we only want to use Kerberos.
> 
> Would it be OK to change the recommend in nslcd on libpam-ldapd to a
> suggests, or perhaps change it to something like this:
> 
>   Recommends: nscd, libnss-ldapd, libpam-ldapd | libpam-krb5 | libpam-sss

I've merged the recommends from both libnss-ldapd and libpam-ldapd into
those of nslcd. Since both packages depend on nslcd this should
accomplish the same thing and keep the list of PAM alternatives in one
place.

> I would like to have libpam-sss listed there too, as we experiment
> with libpam-sss on roaming workstations and do not want libpam-ldapd
> on that profile either. :)

It has been added to the list. nslcd now has:
Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap
  | libpam-krb5 | libpam-heimdal | libpam-sss

So you are using the nss-pam-ldapd NSS module and sss for PAM? Is this a
reasonable configuration (since sss also provides an NSS module)?

> A more scalable solution might be to introduce a virtual package for
> pam modules providing authentication (say pam-authentication), and use
> 
>   Recommends: nscd, libnss-ldapd, libpam-ldapd | pam-authentication

I'm not sure this will work because sometimes you may want to have
different PAM modules do authentication for different users (e.g. some
users come from LDAP, some from /etc/passwd, some from Samba). For
libnss-ldapd we are only interested in PAM modules that do
authentication for users in LDAP so at the very least pam-authentication
is too broad.

Since squeeze is already frozen I don't think this is the time for such
a change.

Anyway, thanks for pointing this out.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Sat, 14 Aug 2010 16:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#591773; Package nslcd. (Sat, 14 Aug 2010 17:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Sat, 14 Aug 2010 17:30:06 GMT) Full text and rfc822 format available.

Message #17 received at 591773@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 591773@bugs.debian.org
Subject: Re: Bug#591773: nslcd: Only suggest libpam-ldapd or list alternatives?
Date: Sat, 14 Aug 2010 19:27:56 +0200
[Arthur de Jong]
> I've merged the recommends from both libnss-ldapd and libpam-ldapd
> into those of nslcd. Since both packages depend on nslcd this should
> accomplish the same thing and keep the list of PAM alternatives in
> one place.

Great.  I hope you get it into Squeeze, to avoid Debian Edu having to
use a workaround to avoid duplicate pam settings on the machines.

> So you are using the nss-pam-ldapd NSS module and sss for PAM? Is
> this a reasonable configuration (since sss also provides an NSS
> module)?

Actually, we use sss for pam and nss, except for netgroups which is
still not implemented in sss, so we ended up using ldapd for
netgroups. :)

Happy hacking,
-- 
Petter Reinholdtsen




Reply sent to Arthur de Jong <adejong@debian.org>:
You have taken responsibility. (Wed, 18 Aug 2010 20:39:07 GMT) Full text and rfc822 format available.

Notification sent to Petter Reinholdtsen <pere@hungry.com>:
Bug acknowledged by developer. (Wed, 18 Aug 2010 20:39:07 GMT) Full text and rfc822 format available.

Message #22 received at 591773-close@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 591773-close@bugs.debian.org
Subject: Bug#591773: fixed in nss-pam-ldapd 0.7.8
Date: Wed, 18 Aug 2010 20:37:15 +0000
Source: nss-pam-ldapd
Source-Version: 0.7.8

We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.7.8_i386.deb
  to main/n/nss-pam-ldapd/libnss-ldapd_0.7.8_i386.deb
libpam-ldapd_0.7.8_i386.deb
  to main/n/nss-pam-ldapd/libpam-ldapd_0.7.8_i386.deb
nslcd_0.7.8_i386.deb
  to main/n/nss-pam-ldapd/nslcd_0.7.8_i386.deb
nss-pam-ldapd_0.7.8.dsc
  to main/n/nss-pam-ldapd/nss-pam-ldapd_0.7.8.dsc
nss-pam-ldapd_0.7.8.tar.gz
  to main/n/nss-pam-ldapd/nss-pam-ldapd_0.7.8.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 591773@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adejong@debian.org> (supplier of updated nss-pam-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 Aug 2010 21:00:00 +0200
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.7.8
Distribution: unstable
Urgency: low
Maintainer: Arthur de Jong <adejong@debian.org>
Changed-By: Arthur de Jong <adejong@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
 libpam-ldapd - PAM module for using LDAP as an authentication service
 nslcd      - Daemon for NSS and PAM lookups using LDAP
Closes: 591773 592104 592320 593404 593491 593501
Changes: 
 nss-pam-ldapd (0.7.8) unstable; urgency=low
 .
   * minor portability improvements and clean-ups (thanks Alexander V.
     Chernikov and Ted C. Cheng)
   * don't expand variables in rest of ${var:-rest} and ${var:+rest}
     expressions if it is not needed (closes: #592320)
   * libpam-ldapd.postinst: offer to add ldap to shadow in nsswitch.conf if
     a potential broken configuration is found (closes: #592104)
     (thanks to Justin B Rye for the template review)
   * merge the suggests of libnss-ldapd and libpam-ldapd into those of the
     nslcd package to have a single consistent list of PAM alternatives
     (closes: #591773)
   * add libpam-sss as an alternative to libpam-ldapd (closes: #591773)
   * upgrade to standards-version 3.9.1 (no changes needed)
   * updated Portuguese debconf translation by Américo Monteir
     (closes: #593404)
   * updated Russian debconf translation by Yuri Kozlov (closes: #593491)
   * added Norwegian Bokmål debconf translation by Bjørn Steensrud
     (closes: #593501)
Checksums-Sha1: 
 628aa53e5f4e13e67c3bb6b83ca14a3236f668f5 1102 nss-pam-ldapd_0.7.8.dsc
 e1e3ac451ee3caf019557f2218e7950275465110 474741 nss-pam-ldapd_0.7.8.tar.gz
 56af70304c5259fd2707961c4ed8359176ded95b 121190 nslcd_0.7.8_i386.deb
 7b02e855c26d83b8411e526d6aa6a51668153e92 42508 libnss-ldapd_0.7.8_i386.deb
 0351f5e2cb975256c1ddd07ffbde3c5acd81ba7c 33152 libpam-ldapd_0.7.8_i386.deb
Checksums-Sha256: 
 558356cdc713da72759de3d3b9c3bc021e352bd066d402e5f2506c6f77a0da28 1102 nss-pam-ldapd_0.7.8.dsc
 3484c6c2c458541309e9ea5dd87581abdf3b925fdd9014a5b984211ff56622cb 474741 nss-pam-ldapd_0.7.8.tar.gz
 bce152b73f9c07bb6f36570dbdffd474dd0b82a5fbabd299ecf0de75720063c6 121190 nslcd_0.7.8_i386.deb
 7ffff0b5591fe737be4ae4b13b124fcb7545090ec42a7af69a4dbb9614924512 42508 libnss-ldapd_0.7.8_i386.deb
 395420ce85e0f581157428c1f422e5255eb9459ef481a714ec434657f582ec32 33152 libpam-ldapd_0.7.8_i386.deb
Files: 
 d7f884e5d6987465299c4afbc27bc545 1102 admin extra nss-pam-ldapd_0.7.8.dsc
 9d5ac985e53f06719838d824fff5ba53 474741 admin extra nss-pam-ldapd_0.7.8.tar.gz
 4f48baabf5d741cd1d5826a297306874 121190 admin extra nslcd_0.7.8_i386.deb
 1be8945c75c7201a75d47a7fcdaa33cf 42508 admin extra libnss-ldapd_0.7.8_i386.deb
 65b8ef79e6d025a69742be4462fa41d8 33152 admin extra libpam-ldapd_0.7.8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxsN3cACgkQVYan35+NCKcDLQCeMlzHC0HIDcFEwR0ukALTTeO8
q9oAniacP0g1BF2w3GD2MhCwa/PC5PJi
=Yjst
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 20 Sep 2010 07:33:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:12:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.