Re: {,pam_,nss_}ldap.conf

To: tech-pkg%netbsd.org@localhost
Subject: Re: {,pam_,nss_}ldap.conf
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Wed, 11 May 2011 16:12:00 +0200

> Yes, this is intentional;
OK.

> nss_ldap and pam_ldap provide the same base options,
> and their specific options are prefixed with nss_ and pam_ respectively.
Yes, I'm aware of this. But I think then pkgsrc should provide a template 
ldap.conf that contains all the nss_ AND pam_ options.
And the MESSAGE should point out that updating from a former version needs 
updating the config file.

> I guess the author's idea was to integrate with OpenLDAP's ldap.conf,
> but our (pkgsrc) OpenLDAP installs ldap.conf in etc/openldap.
Probably yes.

> The benefit of this approach is, for example: when your server's
> parameters has changed, you have only to edit one configuration file.
Yes, I agree this is a benefit. But the drawbacks are:
1. updating can leave your machine in a state where you have to go single-user 
in order to regain access (because PAM fails and/or NSS doesn't know you).
2. every user using both pam_ldap and nss_ldap has to merge the two example 
configs into one.

The first point can be addressed with a MESSAGE file.
While the second is clearly the upstream author's responsibility, I think it 
should nevertheless be patch-fixed in pkgsrc.

References:
- {,pam_,nss_}ldap.conf
  - From: Edgar Fuß
- Re: {,pam_,nss_}ldap.conf
  - From: Adam Ciarciński

Prev by Date: Re: {,pam_,nss_}ldap.conf
Next by Date: Re: OpenIndiana/SunOS binary pkgsrc repository
Previous by Thread: Re: {,pam_,nss_}ldap.conf
Next by Thread: daily pkgsrc CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index